eve/ftp-data: log alert metadata in ftp-data object

author Philippe Antoine <contact@catenacyber.fr>

Tue, 30 Nov 2021 13:21:48 +0000 (14:21 +0100)

committer Victor Julien <vjulien@oisf.net>

Tue, 7 Dec 2021 06:56:36 +0000 (07:56 +0100)
author Philippe Antoine <contact@catenacyber.fr>
Tue, 30 Nov 2021 13:21:48 +0000 (14:21 +0100)
committer Victor Julien <vjulien@oisf.net>
Tue, 7 Dec 2021 06:56:36 +0000 (07:56 +0100)
diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst

index 96b8f0518ada6fd6c2185085d34bcb3ba130806f..e93e8c467b74c7d6f0b19142edb10c9763c8a7e3 100644 (file)
--- a/doc/userguide/upgrade.rst
+++ b/doc/userguide/upgrade.rst
@@ -45,6 +45,7 @@ Logging changes
  ~~~~~~~~~~~~~~~
  - IKEv2 Eve logging changed, the event_type has become ``ike``. The fields ``errors`` and ``notify`` have moved to
    ``ike.ikev2.errors`` and ``ike.ikev2.notify``.
+- FTP DATA metadata for alerts are now logged in ``ftp_data`` instead of root.
  
  Other changes
  ~~~~~~~~~~~~~
diff --git a/src/output-json-alert.c b/src/output-json-alert.c

index 0ebe6fe0c1d7347972cbc2768da36d175e8c92b7..50d9bc216dc1ad42daa536379ff9ec4b6a80984f 100644 (file)
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -519,7 +519,10 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
              }
              break;
          case ALPROTO_FTPDATA:
+            jb_get_mark(jb, &mark);
+            jb_open_object(jb, "ftp_data");
              EveFTPDataAddMetadata(p->flow, jb);
+            jb_close(jb);
              break;
          case ALPROTO_DNP3:
              AlertJsonDnp3(p->flow, tx_id, jb);
author	Philippe Antoine <contact@catenacyber.fr>
	Tue, 30 Nov 2021 13:21:48 +0000 (14:21 +0100)
committer	Victor Julien <vjulien@oisf.net>
	Tue, 7 Dec 2021 06:56:36 +0000 (07:56 +0100)
doc/userguide/upgrade.rst		patch \| blob \| blame \| history
src/output-json-alert.c		patch \| blob \| blame \| history