output-json: add app_proto key in root

By adding the key in the root of *flow and fileinfo  events it
will be possible to get all events for one application layer by
using a 'event_type:proto OR app_proto:proto' filter. This will
permit to the analyst to get a good view of events related to
one protocol.

This patch also fixes a regression in file logging where app_proto
was available before 94dbd303e4744a40f3761265be7c73a7a4754764 create
the regression.

diff --git a/src/output-json-file.c b/src/output-json-file.c
index 9506a74670dc07c64906730e9623c17394bdebf9..32f3a9435c7f13ec66270d238fc7a7ebd8c76a5f 100644 (file)
--- a/src/output-json-file.c
+++ b/src/output-json-file.c
@@ -108,6 +108,8 @@ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const F
             break;
     }
 
+    json_object_set_new(js, "app_proto",
+            json_string(AppProtoToString(p->flow->alproto)));
 
     json_t *fjs = json_object();
     if (unlikely(fjs == NULL)) {

diff --git a/src/output-json-flow.c b/src/output-json-flow.c
index 7ff0d3d22ebc46fb7d9d6c00b0a8bc04dff05baa..f89c32df7097a30879d6fbca265a82b26870c73f 100644 (file)
--- a/src/output-json-flow.c
+++ b/src/output-json-flow.c
@@ -188,7 +188,7 @@ static void JsonFlowLogJSON(JsonFlowLogThread *aft, json_t *js, Flow *f)
         return;
     }
 
-    json_object_set_new(hjs, "app_proto", json_string(AppProtoToString(f->alproto)));
+    json_object_set_new(js, "app_proto", json_string(AppProtoToString(f->alproto)));
 
     json_object_set_new(hjs, "pkts_toserver",
             json_integer(f->todstpktcnt));

diff --git a/src/output-json-netflow.c b/src/output-json-netflow.c
index 153beb3ded394dbaa4faf5acc6c6db4683e96985..1b1fa8c0bdeba68f7f0728c8f81208f87aaba6fe 100644 (file)
--- a/src/output-json-netflow.c
+++ b/src/output-json-netflow.c
@@ -194,7 +194,7 @@ static void JsonNetFlowLogJSONToServer(JsonNetFlowLogThread *aft, json_t *js, Fl
         return;
     }
 
-    json_object_set_new(hjs, "app_proto",
+    json_object_set_new(js, "app_proto",
             json_string(AppProtoToString(f->alproto_ts ? f->alproto_ts : f->alproto)));
 
     json_object_set_new(hjs, "pkts",
@@ -243,7 +243,7 @@ static void JsonNetFlowLogJSONToClient(JsonNetFlowLogThread *aft, json_t *js, Fl
         return;
     }
 
-    json_object_set_new(hjs, "app_proto",
+    json_object_set_new(js, "app_proto",
             json_string(AppProtoToString(f->alproto_tc ? f->alproto_tc : f->alproto)));
 
     json_object_set_new(hjs, "pkts",