flow/eve: separate flow and app_proto logging (jsonbuilder prep)

Currently the flow logger also logs app_proto information,
but not to the flow object, but instead to the root object
of the log record.

Refactor into 2 separate methods, one for the app_proto
and one for the flow, to make this more clear, as well
as make it easier to refactor for JsonBuilder as JsonBuilder
can only write to the currently open object.

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 497d09b23002f2cd356bf04790cd26cdb66bb381..2b955c050eed07410a39d88afaaeffd28450ca46 100644 (file)
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -530,15 +530,13 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
         }
 
         if (p->flow) {
+            JsonAddAppProto(p->flow, js);
             if (json_output_ctx->flags & LOG_JSON_FLOW) {
                 hjs = json_object();
                 if (hjs != NULL) {
-                    JsonAddFlow(p->flow, js, hjs);
+                    JsonAddFlow(p->flow, hjs);
                     json_object_set_new(js, "flow", hjs);
                 }
-            } else {
-                json_object_set_new(js, "app_proto",
-                        json_string(AppProtoToString(p->flow->alproto)));
             }
         }
 

diff --git a/src/output-json-flow.c b/src/output-json-flow.c
index 171b9424d941d22b75a0ae9a7f39cd03cf9a6b81..6f58b5da992af4e6a431f75f7696de4438a3f043 100644 (file)
--- a/src/output-json-flow.c
+++ b/src/output-json-flow.c
@@ -177,7 +177,7 @@ static json_t *CreateJSONHeaderFromFlow(const Flow *f, const char *event_type)
     return js;
 }
 
-void JsonAddFlow(Flow *f, json_t *js, json_t *hjs)
+void JsonAddAppProto(Flow *f, json_t *js)
 {
     json_object_set_new(js, "app_proto",
             json_string(AppProtoToString(f->alproto)));
@@ -198,42 +198,46 @@ void JsonAddFlow(Flow *f, json_t *js, json_t *hjs)
                 json_string(AppProtoToString(f->alproto_expect)));
     }
 
+}
+
+void JsonAddFlow(Flow *f, json_t *js)
+{
     FlowBypassInfo *fc = FlowGetStorageById(f, GetFlowBypassInfoID());
     if (fc) {
-        json_object_set_new(hjs, "pkts_toserver",
+        json_object_set_new(js, "pkts_toserver",
                 json_integer(f->todstpktcnt + fc->todstpktcnt));
-        json_object_set_new(hjs, "pkts_toclient",
+        json_object_set_new(js, "pkts_toclient",
                 json_integer(f->tosrcpktcnt + fc->tosrcpktcnt));
-        json_object_set_new(hjs, "bytes_toserver",
+        json_object_set_new(js, "bytes_toserver",
                 json_integer(f->todstbytecnt + fc->todstbytecnt));
-        json_object_set_new(hjs, "bytes_toclient",
+        json_object_set_new(js, "bytes_toclient",
                 json_integer(f->tosrcbytecnt + fc->tosrcbytecnt));
-        json_t *bhjs = json_object();
-        if (bhjs != NULL) {
-            json_object_set_new(bhjs, "pkts_toserver",
+        json_t *bjs = json_object();
+        if (bjs != NULL) {
+            json_object_set_new(bjs, "pkts_toserver",
                     json_integer(fc->todstpktcnt));
-            json_object_set_new(bhjs, "pkts_toclient",
+            json_object_set_new(bjs, "pkts_toclient",
                     json_integer(fc->tosrcpktcnt));
-            json_object_set_new(bhjs, "bytes_toserver",
+            json_object_set_new(bjs, "bytes_toserver",
                     json_integer(fc->todstbytecnt));
-            json_object_set_new(bhjs, "bytes_toclient",
+            json_object_set_new(bjs, "bytes_toclient",
                     json_integer(fc->tosrcbytecnt));
-            json_object_set_new(hjs, "bypassed", bhjs);
+            json_object_set_new(js, "bypassed", bjs);
         }
     } else {
-        json_object_set_new(hjs, "pkts_toserver",
+        json_object_set_new(js, "pkts_toserver",
                 json_integer(f->todstpktcnt));
-        json_object_set_new(hjs, "pkts_toclient",
+        json_object_set_new(js, "pkts_toclient",
                 json_integer(f->tosrcpktcnt));
-        json_object_set_new(hjs, "bytes_toserver",
+        json_object_set_new(js, "bytes_toserver",
                 json_integer(f->todstbytecnt));
-        json_object_set_new(hjs, "bytes_toclient",
+        json_object_set_new(js, "bytes_toclient",
                 json_integer(f->tosrcbytecnt));
     }
 
     char timebuf1[64];
     CreateIsoTimeString(&f->startts, timebuf1, sizeof(timebuf1));
-    json_object_set_new(hjs, "start", json_string(timebuf1));
+    json_object_set_new(js, "start", json_string(timebuf1));
 }
 
 /* JSON format logging */
@@ -245,7 +249,8 @@ static void JsonFlowLogJSON(JsonFlowLogThread *aft, json_t *js, Flow *f)
         return;
     }
 
-    JsonAddFlow(f, js, hjs);
+    JsonAddAppProto(f, js);
+    JsonAddFlow(f, hjs);
 
     char timebuf2[64];
     CreateIsoTimeString(&f->lastts, timebuf2, sizeof(timebuf2));

diff --git a/src/output-json-flow.h b/src/output-json-flow.h
index 8af35ed0412507c2735fa3bab24bc140b1eda838..d4b017b522719a9e02bbc1dadc5e85ad74a2e51b 100644 (file)
--- a/src/output-json-flow.h
+++ b/src/output-json-flow.h
@@ -25,6 +25,7 @@
 #define __OUTPUT_JSON_FLOW_H__
 
 void JsonFlowLogRegister(void);
-void JsonAddFlow(Flow *f, json_t *js, json_t *hjs);
+void JsonAddFlow(Flow *f, json_t *js);
+void JsonAddAppProto(Flow *f, json_t *js);
 
 #endif /* __OUTPUT_JSON_FLOW_H__ */