eve/netflow: only log response record if we've seen response pkts

diff --git a/src/output-json-netflow.c b/src/output-json-netflow.c
index f13a837a25bf9ceef0c8e61268411b2d567dcb33..7659a9679bce696cdc08f2f7713babe325e6e82e 100644 (file)
--- a/src/output-json-netflow.c
+++ b/src/output-json-netflow.c
@@ -321,20 +321,22 @@ static int JsonNetFlowLogger(ThreadVars *tv, void *thread_data, Flow *f)
     json_object_clear(js);
     json_decref(js);
 
-    /* reset */
-    MemBufferReset(jhl->buffer);
-    js = CreateJSONHeaderFromFlow(f, "netflow", 1);
-    if (unlikely(js == NULL))
-        return TM_ECODE_OK;
-    JsonNetFlowLogJSONToClient(jhl, js, f);
-    if (netflow_ctx->include_metadata) {
-        JsonAddMetadata(NULL, f, js);
+    /* only log a response record if we actually have seen response packets */
+    if (f->tosrcpktcnt) {
+        /* reset */
+        MemBufferReset(jhl->buffer);
+        js = CreateJSONHeaderFromFlow(f, "netflow", 1);
+        if (unlikely(js == NULL))
+            return TM_ECODE_OK;
+        JsonNetFlowLogJSONToClient(jhl, js, f);
+        if (netflow_ctx->include_metadata) {
+            JsonAddMetadata(NULL, f, js);
+        }
+        OutputJSONBuffer(js, jhl->flowlog_ctx->file_ctx, &jhl->buffer);
+        json_object_del(js, "netflow");
+        json_object_clear(js);
+        json_decref(js);
     }
-    OutputJSONBuffer(js, jhl->flowlog_ctx->file_ctx, &jhl->buffer);
-    json_object_del(js, "netflow");
-    json_object_clear(js);
-    json_decref(js);
-
     SCReturnInt(TM_ECODE_OK);
 }