output-json-alert: print 'tunnel' JSON object if tunnel

Log src_ip, dst_ip and proto for root packet (p->root) if the
packet that triggered is inside a tunnel, as JSON object
'tunnel'. Also log recursion depth to indicate the depth of
the tunnel.

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 031bebb17d7d8309580a2f72a0b0b6fc344794bf..135ee618edcb07b88f52702b96ce03b01afc601c 100644 (file)
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -218,6 +218,29 @@ void AlertJsonHeader(const Packet *p, const PacketAlert *pa, json_t *js)
     json_object_set_new(js, "alert", ajs);
 }
 
+static void AlertJsonTunnel(const Packet *p, json_t *js)
+{
+    json_t *tunnel = json_object();
+    if (tunnel == NULL)
+        return;
+
+    if (p->root == NULL) {
+        json_decref(tunnel);
+        return;
+    }
+
+    /* get a lock to access root packet fields */
+    SCMutex *m = &p->root->tunnel_mutex;
+
+    SCMutexLock(m);
+    JsonFiveTuple((const Packet *)p->root, 0, tunnel);
+    SCMutexUnlock(m);
+
+    json_object_set_new(tunnel, "depth", json_integer(p->recursion_level));
+
+    json_object_set_new(js, "tunnel", tunnel);
+}
+
 static void AlertJsonPacket(const Packet *p, json_t *js)
 {
     unsigned long len = GET_PKT_LEN(p) * 2;
@@ -261,6 +284,10 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
         /* alert */
         AlertJsonHeader(p, pa, js);
 
+        if (IS_TUNNEL_PKT(p)) {
+            AlertJsonTunnel(p, js);
+        }
+
         if (json_output_ctx->flags & LOG_JSON_HTTP) {
             if (p->flow != NULL) {
                 uint16_t proto = FlowGetAppProtocol(p->flow);