doc: info about new config for alert events in EVE

diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst
index 84580e0c700b9765a323a2278dde7353456e046b..c39432b27219437ead36444ffc126cfc9999c4ed 100644 (file)
--- a/doc/userguide/output/eve/eve-json-output.rst
+++ b/doc/userguide/output/eve/eve-json-output.rst
@@ -163,10 +163,22 @@ Metadata::
             # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
             # payload-printable: yes   # enable dumping payload in printable (lossy) format
             # packet: yes              # enable dumping of packet (without stream segments)
+            metadata: yes              # add L7/applayer fields, flowbit and other vars to the alert
+
+Alternatively to the `metadata` key it is also possible to select the application
+layer metadata to output on a per application layer basis ::
+
+        - alert:
             http: yes                # enable dumping of http fields
             tls: yes                 # enable dumping of tls fields
             ssh: yes                 # enable dumping of ssh fields
             smtp: yes                # enable dumping of smtp fields
+            dnp3: yes                # enable dumping of dnp3 fields
+            flow: yes                # enable dumping of a partial flow entry
+            vars: yes                # enable dumping of flowbits and other vars
+
+The `vars` will enable dumping of a set of key/value based on flowbits and other vars
+such as named groups in regular expression.
 
 DNS
 ~~~