output-json-tls: log 'from_proto' field

Log the original application level protocol when protocol have been
changed because of STARTTLS, HTTP CONNECT or similar.

diff --git a/src/output-json-tls.c b/src/output-json-tls.c
index 5184373d65598824b61d55c8fc9a55ae4b399457..3bdd481621de3ba05c1ed5804fd505d8d81247b8 100644 (file)
--- a/src/output-json-tls.c
+++ b/src/output-json-tls.c
@@ -383,6 +383,13 @@ static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
         JsonTlsLogJSONBasic(tjs, ssl_state);
     }
 
+    /* print original application level protocol when it have been changed
+       because of STARTTLS, HTTP CONNECT, or similar. */
+    if (f->alproto_orig != ALPROTO_UNKNOWN) {
+        json_object_set_new(tjs, "from_proto",
+                json_string(AppLayerGetProtoName(f->alproto_orig)));
+    }
+
     json_object_set_new(js, "tls", tjs);
 
     OutputJSONBuffer(js, tls_ctx->file_ctx, &aft->buffer);