eve/drop: don't log drops unless packet is dropped

In pass/drop combinations where the pass rule took precendence over
the drop, a "drop" false positive could still be logged due to the
storing of the drop record in the packet drop alert store.

Bug: #5867.
(cherry picked from commit 09348564f032ad61811d2a77aecc1d0472f4a656)

diff --git a/src/output-json-drop.c b/src/output-json-drop.c
index 8c403791f043dca2d3471eed67cebec201e2b195..90ca0dba61088f04c438bc830e9941acef53ac92 100644 (file)
--- a/src/output-json-drop.c
+++ b/src/output-json-drop.c
@@ -357,6 +357,10 @@ static int JsonDropLogCondition(ThreadVars *tv, const Packet *p)
         return FALSE;
     }
 
+    if (!PACKET_TEST_ACTION(p, ACTION_DROP)) {
+        return FALSE;
+    }
+
     if (g_droplog_flows_start && p->flow != NULL) {
         int ret = FALSE;
 
@@ -373,11 +377,9 @@ static int JsonDropLogCondition(ThreadVars *tv, const Packet *p)
             ret = TRUE;
 
         return ret;
-    } else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
-        return TRUE;
     }
 
-    return FALSE;
+    return TRUE;
 }
 
 void JsonDropLogRegister (void)