static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
{
AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
- char timebuf[64];
if (p->alerts.cnt == 0)
return TM_ECODE_OK;
- CreateIsoTimeString(p->ts, timebuf, sizeof(timebuf));
-
for (int i = 0; i < p->alerts.cnt; i++) {
const PacketAlert *pa = &p->alerts.alerts[i];
if (unlikely(pa->s == NULL)) {
continue;
}
- JsonBuilder *jb = jb_new_object();
- if (unlikely(jb == NULL)) {
+ JsonBuilder *jb =
+ CreateEveHeader(p, LOG_DIR_PACKET, "alert", NULL, json_output_ctx->eve_ctx);
+ if (unlikely(jb == NULL))
return TM_ECODE_OK;
+
+ AlertJsonHeader(p, pa, jb, json_output_ctx->flags, NULL, NULL);
+
+ if (PacketIsTunnel(p)) {
+ AlertJsonTunnel(p, jb);
}
- /* just the timestamp, no tuple */
- jb_set_string(jb, "timestamp", timebuf);
+ /* base64-encoded full packet */
+ if (json_output_ctx->flags & LOG_JSON_PACKET) {
+ EvePacket(p, jb, 0);
+ }
- AlertJsonHeader(p, pa, jb, json_output_ctx->flags, NULL, NULL);
+ char *pcap_filename = PcapLogGetFilename();
+ if (pcap_filename != NULL) {
+ jb_set_string(jb, "capture_file", pcap_filename);
+ }
+
+ if (json_output_ctx->flags & LOG_JSON_VERDICT) {
+ EveAddVerdict(jb, p);
+ }
OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
jb_free(jb);
projects / thirdparty / suricata.git / commitdiff
