doc: add JA3 fields to the TLS logger documentation

diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst
index 66eb7c68a5898988a201cf1d68abe70c6baf938f..7004b1e1085372dbf33f66e005f82c4545f55b4b 100644 (file)
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -383,6 +383,9 @@ If extended logging is enabled the following fields are also included:
 * "version": The SSL/TLS version used
 * "notbefore": The NotBefore field from the TLS certificate
 * "notafter": The NotAfter field from the TLS certificate
+* "ja3": The JA3 fingerprint consisting of both a JA3 hash and a JA3 string
+
+JA3 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints' to 'yes').
 
 In addition to this, custom logging also allows the following fields:
 

diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst
index d137f7ec034c762e63b162556a83df20a20f3ee8..232ef26338f563e069a7db370ac2899d58e16757 100644 (file)
--- a/doc/userguide/output/eve/eve-json-output.rst
+++ b/doc/userguide/output/eve/eve-json-output.rst
@@ -107,7 +107,7 @@ YAML::
             extended: yes     # enable this for extended logging information
             # custom allows to control which tls fields that are included
             # in eve-log
-            #custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
+            #custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3]
 
 The default is to log certificate subject and issuer. If ``extended`` is
 enabled, then the log gets more verbose.