detect: re-add app-layer to alerts on stream matches

The `guess-applayer-tx` work also removed the stream match condition
for adding app-layer metadata to alerts. This is a behavior change that
is not desired at this point, so this commit reverts that part of the
changes.

We keep the exising logging of app-layer metadata if the match was in
the stream.

diff --git a/src/detect.c b/src/detect.c
index f3cf0e0ba373c38b9c8975f67a0e2249682098fe..82aaafcb94e1d5512f79c08ef41b4a94f45f1cb6 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -822,6 +822,7 @@ static inline void DetectRulePacketRules(
             uint8_t dir = (p->flowflags & FLOW_PKT_TOCLIENT) ? STREAM_TOCLIENT : STREAM_TOSERVER;
             txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir);
             if ((s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP) ||
+                    (alert_flags & PACKET_ALERT_FLAG_STREAM_MATCH) ||
                     (de_ctx->guess_applayer &&
                             AppLayerParserGetTxCnt(pflow, pflow->alstate) == txid + 1)) {
                 // if there is a UDP specific app-layer signature,