ftp: do not set alproto if one was already found

Ticket: 4857

If a pattern such as GET is seen ine the beginning of the
file transferred over ftp-data, this flow will get recognized
as HTTP, and a HTTP state will be created during parsing.

Thus, we cannot override directly alproto's values

This solves the segfault, but not the logical bug that the flow
should be classified as FTP-DATA instead of HTTP

(cherry picked from commit dd32238667f08c7211ae4fa27cfe43af7cffd52d)

diff --git a/src/app-layer-expectation.c b/src/app-layer-expectation.c
index ee158e94d28560fa8ac49736806b7867f68f03ec..cdd064cc301ca0824175f346f129a0e03d373e5b 100644 (file)
--- a/src/app-layer-expectation.c
+++ b/src/app-layer-expectation.c
@@ -323,8 +323,12 @@ AppProto AppLayerExpectationHandle(Flow *f, int direction)
              ((exp->sp == 0) || (exp->sp == f->sp)) &&
              ((exp->dp == 0) || (exp->dp == f->dp))) {
             alproto = exp->alproto;
-            f->alproto_ts = alproto;
-            f->alproto_tc = alproto;
+            if (f->alproto_ts == ALPROTO_UNKNOWN) {
+                f->alproto_ts = alproto;
+            }
+            if (f->alproto_tc == ALPROTO_UNKNOWN) {
+                f->alproto_tc = alproto;
+            }
             void *fdata = FlowGetStorageById(f, g_expectation_data_id);
             if (fdata) {
                 /* We already have an expectation so let's clean this one */