eve/flow: log tx_cnt

This patch adds a `tx_cnt` field to `netflow` events to give some
context about the underlying protocol activity.

Ticket: #7635

diff --git a/etc/schema.json b/etc/schema.json
index 774bf36df5441a986a17cfa60adf4d7fa2ae9030..24079a0c6a1dbacf61385e0f671da5f625101ae3 100644 (file)
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -1982,6 +1982,9 @@
                 },
                 "wrong_thread": {
                     "type": "boolean"
+                },
+                "tx_cnt": {
+                    "type": "integer"
                 }
             },
             "additionalProperties": false

diff --git a/src/output-json-flow.c b/src/output-json-flow.c
index f62c117e4978d6721901b0ee327950b1469c359d..c3b479bd05ef7a49ac61a6b115ff8afae1e9ca58 100644 (file)
--- a/src/output-json-flow.c
+++ b/src/output-json-flow.c
@@ -27,6 +27,7 @@
 #include "detect.h"
 #include "pkt-var.h"
 #include "conf.h"
+#include "app-layer-parser.h"
 
 #include "threads.h"
 #include "threadvars.h"
@@ -350,6 +351,13 @@ static void EveFlowLogJSON(OutputJsonThreadCtx *aft, SCJsonBuilder *jb, Flow *f)
         SCJbClose(jb); /* close array */
     }
 
+    if (f->alstate) {
+        uint64_t tx_id = AppLayerParserGetTxCnt(f, f->alstate);
+        if (tx_id) {
+            SCJbSetUint(jb, "tx_cnt", tx_id);
+        }
+    }
+
     /* Close flow. */
     SCJbClose(jb);