flow: complete stats for app_layer protocol counters

In the case of a gap, or in the case of a flow where one side
is recognized, but the other is not before the end, we still
increase the counters to have consistency between

jq 'select(.event_type=="flow" and .app_proto=="ftp") | .app_proto'  log/eve.json | wc -l
jq 'select(.event_type=="stats") | .stats."app_layer".flow.ftp' log/eve.json

Ticket: #5769

diff --git a/src/app-layer.c b/src/app-layer.c
index 60f0ef5ddcfa88bf67ce262752810d2823a71fb4..8b5f307cdae8c35e97188fc0841c49d33941db2f 100644 (file)
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -603,6 +603,10 @@ static int TCPProtoDetect(ThreadVars *tv,
                 AppLayerIncFlowCounter(tv, f);
                 FlagPacketFlow(p, f, flags);
 
+            } else if (flags & STREAM_EOF) {
+                *alproto = f->alproto;
+                StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
+                AppLayerIncFlowCounter(tv, f);
             }
         } else {
             /* both sides unknown, let's see if we need to give up */
@@ -676,6 +680,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
             if (f->alproto == ALPROTO_UNKNOWN) {
                 goto failure;
             }
+            AppLayerIncFlowCounter(tv, f);
         }
         if (FlowChangeProto(f)) {
             FlowUnsetChangeProtoFlag(f);