Doc: update eve-json-output ethernet description

author Joyce Yu <joyce.yu@cyber.gc.ca>

Mon, 17 Mar 2025 18:57:48 +0000 (14:57 -0400)

committer Victor Julien <victor@inliniac.net>

Thu, 20 Mar 2025 12:11:59 +0000 (13:11 +0100)
author Joyce Yu <joyce.yu@cyber.gc.ca>
Mon, 17 Mar 2025 18:57:48 +0000 (14:57 -0400)
committer Victor Julien <victor@inliniac.net>
Thu, 20 Mar 2025 12:11:59 +0000 (13:11 +0100)
diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst

index 7700725105c5fc88a2935fbd7b7944d998cd7c4c..7ebda748d0ecb34d54fc83d4bcc6fa83a4f1efd8 100644 (file)
--- a/doc/userguide/output/eve/eve-json-output.rst
+++ b/doc/userguide/output/eve/eve-json-output.rst
@@ -15,7 +15,9 @@ Each alert, http log, etc will go into this one file: 'eve.json'. This file
  can then be processed by 3rd party tools like Logstash (ELK) or jq.
  
  If ``ethernet`` is set to yes, then ethernet headers will be added to events
-if available.
+if available. If the ``pkt_src`` value is ``stream (flow timeout)``, then the
+``ethernet`` value will be populated with mac addresses from the flow's first
+packet with ethernet header.
  
  Output Buffering
  ~~~~~~~~~~~~~~~~
author	Joyce Yu <joyce.yu@cyber.gc.ca>
	Mon, 17 Mar 2025 18:57:48 +0000 (14:57 -0400)
committer	Victor Julien <victor@inliniac.net>
	Thu, 20 Mar 2025 12:11:59 +0000 (13:11 +0100)