eve: user callbacks for adding additional data

Provide a way for library/plugin users to register a callback that
will be called prior to an EVE record being closed. The callback will
be passed ThreadVars, Packet, and Flow pointers if available, as well
as private user data.

diff --git a/src/output-eve-stream.c b/src/output-eve-stream.c
index fcdf0c2e5c0b3e163586cf5c4c04e9b9c89a4743..4b44d86835e793f111b81ec8fff98166ddfe018e 100644 (file)
--- a/src/output-eve-stream.c
+++ b/src/output-eve-stream.c
@@ -425,7 +425,7 @@ static int EveStreamLogger(ThreadVars *tv, void *thread_data, const Packet *p)
     /* Close stream. */
     jb_close(js);
 
-    OutputJsonBuilderBuffer(js, td->ctx);
+    OutputJsonBuilderBuffer(tv, p, p->flow, js, td->ctx);
     jb_free(js);
 
     return TM_ECODE_OK;

diff --git a/src/output-eve.c b/src/output-eve.c
index d0d775cba7f7fbc746f3968309fe3a4d3bc6d341..2c67f3b6c38acc72ca9bbf83d1d6f0b0ad3d792b 100644 (file)
--- a/src/output-eve.c
+++ b/src/output-eve.c
@@ -15,11 +15,50 @@
  * 02110-1301, USA.
  */
 
+#include "suricata-common.h"
 #include "output-eve.h"
 #include "util-debug.h"
+#include "rust.h"
+
+typedef struct EveUserCallback_ {
+    SCEveUserCallbackFn Callback;
+    void *user;
+    struct EveUserCallback_ *next;
+} EveUserCallback;
+
+static EveUserCallback *eve_user_callbacks = NULL;
 
 static TAILQ_HEAD(, SCEveFileType_) output_types = TAILQ_HEAD_INITIALIZER(output_types);
 
+bool SCEveRegisterCallback(SCEveUserCallbackFn fn, void *user)
+{
+    EveUserCallback *cb = SCCalloc(1, sizeof(*cb));
+    if (cb == NULL) {
+        return false;
+    }
+    cb->Callback = fn;
+    cb->user = user;
+    if (eve_user_callbacks == NULL) {
+        eve_user_callbacks = cb;
+    } else {
+        EveUserCallback *current = eve_user_callbacks;
+        while (current->next != NULL) {
+            current = current->next;
+        }
+        current->next = cb;
+    }
+    return true;
+}
+
+void SCEveRunCallbacks(ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *jb)
+{
+    EveUserCallback *cb = eve_user_callbacks;
+    while (cb != NULL) {
+        cb->Callback(tv, p, f, jb, cb->user);
+        cb = cb->next;
+    }
+}
+
 static bool IsBuiltinTypeName(const char *name)
 {
     const char *builtin[] = {

diff --git a/src/output-eve.h b/src/output-eve.h
index 7046c7b98005d2e965ac455fedab8cc2edbfbbe5..7e55ce28f8e2ee0f2b857d0297801316672768b5 100644 (file)
--- a/src/output-eve.h
+++ b/src/output-eve.h
@@ -31,6 +31,7 @@
 #define SURICATA_OUTPUT_EVE_H
 
 #include "suricata-common.h"
+#include "rust.h"
 #include "conf.h"
 
 typedef uint32_t ThreadId;
@@ -173,4 +174,46 @@ bool SCRegisterEveFileType(SCEveFileType *);
 
 SCEveFileType *SCEveFindFileType(const char *name);
 
+/** \brief Function type for EVE callbacks.
+ *
+ * The function type for callbacks registered with
+ * SCEveRegisterCallback. This function will be called with the
+ * JsonBuilder just prior to the top-level object being closed. New
+ * fields maybe added, however there is no way to alter existing
+ * objects already added to the JsonBuilder.
+ *
+ * \param tv The ThreadVars for the thread performing the logging.
+ * \param p Packet if available.
+ * \param f Flow if available.
+ * \param user User data provided during callback registration.
+ */
+typedef void (*SCEveUserCallbackFn)(
+        ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *jb, void *user);
+
+/** \brief Register a callback for adding extra information to EVE logs.
+ *
+ * Allow users to register a callback for each EVE log. The callback
+ * is called just before the root object on the JsonBuilder is to be
+ * closed.
+ *
+ * New objects and fields can be append, but exist entries cannot be modified.
+ *
+ * Packet and Flow will be provided if available, but will other be
+ * NULL.
+ *
+ * Limitations: At this time the callbacks will only be called for EVE
+ * loggers that use JsonBuilder, notably this means it won't be called
+ * for stats records at this time.
+ *
+ * \returns true if callback is registered, false is not due to memory
+ *     allocation error.
+ */
+bool SCEveRegisterCallback(SCEveUserCallbackFn fn, void *user);
+
+/** \internal
+ *
+ * Run EVE callbacks.
+ */
+void SCEveRunCallbacks(ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *jb);
+
 #endif

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 7822cc79804520c98514997f6cb8547c095bf863..91a55828a7a1b9ae912aa35b9b57e78af7810c5f 100644 (file)
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -757,7 +757,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             EveAddVerdict(jb, p);
         }
 
-        OutputJsonBuilderBuffer(jb, aft->ctx);
+        OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
         jb_free(jb);
     }
 
@@ -767,7 +767,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
                 CreateEveHeader(p, LOG_DIR_PACKET, "packet", NULL, json_output_ctx->eve_ctx);
         if (unlikely(packetjs != NULL)) {
             EvePacket(p, packetjs, 0);
-            OutputJsonBuilderBuffer(packetjs, aft->ctx);
+            OutputJsonBuilderBuffer(tv, p, p->flow, packetjs, aft->ctx);
             jb_free(packetjs);
         }
     }
@@ -801,7 +801,7 @@ static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const
 
         AlertJsonHeader(p, pa, jb, json_output_ctx->flags, NULL, NULL);
 
-        OutputJsonBuilderBuffer(jb, aft->ctx);
+        OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
         jb_free(jb);
     }
 

diff --git a/src/output-json-anomaly.c b/src/output-json-anomaly.c
index 241cb974a7588b63620013f73f388b5d233ee9d9..00f82fa3685e955041e910f01617561573819ded 100644 (file)
--- a/src/output-json-anomaly.c
+++ b/src/output-json-anomaly.c
@@ -143,16 +143,16 @@ static int AnomalyDecodeEventJson(ThreadVars *tv, JsonAnomalyLogThread *aft,
             EvePacket(p, js, GET_PKT_LEN(p) < 32 ? GET_PKT_LEN(p) : 32);
         }
 
-        OutputJsonBuilderBuffer(js, aft->ctx);
+        OutputJsonBuilderBuffer(tv, p, p->flow, js, aft->ctx);
         jb_free(js);
     }
 
     return TM_ECODE_OK;
 }
 
-static int AnomalyAppLayerDecoderEventJson(JsonAnomalyLogThread *aft,
-                        const Packet *p, AppLayerDecoderEvents *decoder_events,
-                        bool is_pktlayer, const char *layer, uint64_t tx_id)
+static int AnomalyAppLayerDecoderEventJson(ThreadVars *tv, JsonAnomalyLogThread *aft,
+        const Packet *p, AppLayerDecoderEvents *decoder_events, bool is_pktlayer, const char *layer,
+        uint64_t tx_id)
 {
     const char *alprotoname = AppLayerGetProtoName(p->flow->alproto);
 
@@ -201,7 +201,7 @@ static int AnomalyAppLayerDecoderEventJson(JsonAnomalyLogThread *aft,
 
         /* anomaly */
         jb_close(js);
-        OutputJsonBuilderBuffer(js, aft->ctx);
+        OutputJsonBuilderBuffer(tv, p, p->flow, js, aft->ctx);
         jb_free(js);
 
         /* Current implementation assumes a single owner for this value */
@@ -223,8 +223,7 @@ static int JsonAnomalyTxLogger(ThreadVars *tv, void *thread_data, const Packet *
     decoder_events = AppLayerParserGetEventsByTx(f->proto, f->alproto, tx);
     if (decoder_events && decoder_events->event_last_logged < decoder_events->cnt) {
         SCLogDebug("state %p, tx: %p, tx_id: %"PRIu64, state, tx, tx_id);
-        AnomalyAppLayerDecoderEventJson(aft, p, decoder_events, false,
-                                        "proto_parser", tx_id);
+        AnomalyAppLayerDecoderEventJson(tv, aft, p, decoder_events, false, "proto_parser", tx_id);
     }
     return TM_ECODE_OK;
 }
@@ -255,8 +254,8 @@ static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *
     if (aft->json_output_ctx->flags & LOG_JSON_APPLAYER_TYPE) {
         /* app layer proto detect events */
         if (rc == TM_ECODE_OK && AnomalyHasPacketAppLayerEvents(p)) {
-            rc = AnomalyAppLayerDecoderEventJson(aft, p, p->app_layer_events,
-                                                 true, "proto_detect", TX_ID_UNUSED);
+            rc = AnomalyAppLayerDecoderEventJson(
+                    tv, aft, p, p->app_layer_events, true, "proto_detect", TX_ID_UNUSED);
         }
 
         /* parser state events */
@@ -264,8 +263,8 @@ static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *
             SCLogDebug("Checking for anomaly events; alproto %d", p->flow->alproto);
             AppLayerDecoderEvents *parser_events = AppLayerParserGetDecoderEvents(p->flow->alparser);
             if (parser_events && (parser_events->event_last_logged < parser_events->cnt)) {
-                rc = AnomalyAppLayerDecoderEventJson(aft, p, parser_events,
-                                                     false, "parser", TX_ID_UNUSED);
+                rc = AnomalyAppLayerDecoderEventJson(
+                        tv, aft, p, parser_events, false, "parser", TX_ID_UNUSED);
             }
         }
     }

diff --git a/src/output-json-arp.c b/src/output-json-arp.c
index 0490c6b54d1ecae1e33d0d1b18805b3423280c7c..87a80d8cdb0b7544946be9e317a96b2c8af4df62 100644 (file)
--- a/src/output-json-arp.c
+++ b/src/output-json-arp.c
@@ -90,7 +90,7 @@ static int JsonArpLogger(ThreadVars *tv, void *thread_data, const Packet *p)
     JSONFormatAndAddMACAddr(jb, "dest_mac", arph->dest_mac, false);
     jb_set_string(jb, "dest_ip", dstip);
     jb_close(jb); /* arp */
-    OutputJsonBuilderBuffer(jb, thread);
+    OutputJsonBuilderBuffer(tv, p, p->flow, jb, thread);
     jb_free(jb);
 
     return TM_ECODE_OK;

diff --git a/src/output-json-dcerpc.c b/src/output-json-dcerpc.c
index 17e0199ed727b421cc7f70f764b863105657f926..3b3bff90feacd0bcdeeb144ca58f5ba217994799 100644 (file)
--- a/src/output-json-dcerpc.c
+++ b/src/output-json-dcerpc.c
@@ -47,7 +47,7 @@ static int JsonDCERPCLogger(ThreadVars *tv, void *thread_data,
     jb_close(jb);
 
     MemBufferReset(thread->buffer);
-    OutputJsonBuilderBuffer(jb, thread);
+    OutputJsonBuilderBuffer(tv, p, p->flow, jb, thread);
 
     jb_free(jb);
     return TM_ECODE_OK;

diff --git a/src/output-json-dhcp.c b/src/output-json-dhcp.c
index 9c7d9dff9230cba9046c77dcc7b7bd13f6ec9a5d..a4a4a29990e83bdec809deab9f3ec1658ea0477e 100644 (file)
--- a/src/output-json-dhcp.c
+++ b/src/output-json-dhcp.c
@@ -72,7 +72,7 @@ static int JsonDHCPLogger(ThreadVars *tv, void *thread_data,
 
     rs_dhcp_logger_log(ctx->rs_logger, tx, js);
 
-    OutputJsonBuilderBuffer(js, thread->thread);
+    OutputJsonBuilderBuffer(tv, p, p->flow, js, thread->thread);
     jb_free(js);
 
     return TM_ECODE_OK;

diff --git a/src/output-json-dnp3.c b/src/output-json-dnp3.c
index 53cecd78a1aabfe8832e1a573e5dc74aa61b9976..ea557ff206a89af86406d051e224d3f0b51726e0 100644 (file)
--- a/src/output-json-dnp3.c
+++ b/src/output-json-dnp3.c
@@ -246,7 +246,7 @@ static int JsonDNP3LoggerToServer(ThreadVars *tv, void *thread_data,
     jb_open_object(js, "dnp3");
     JsonDNP3LogRequest(js, tx);
     jb_close(js);
-    OutputJsonBuilderBuffer(js, thread->ctx);
+    OutputJsonBuilderBuffer(tv, p, p->flow, js, thread->ctx);
     jb_free(js);
 
     SCReturnInt(TM_ECODE_OK);
@@ -267,7 +267,7 @@ static int JsonDNP3LoggerToClient(ThreadVars *tv, void *thread_data,
     jb_open_object(js, "dnp3");
     JsonDNP3LogResponse(js, tx);
     jb_close(js);
-    OutputJsonBuilderBuffer(js, thread->ctx);
+    OutputJsonBuilderBuffer(tv, p, p->flow, js, thread->ctx);
     jb_free(js);
 
     SCReturnInt(TM_ECODE_OK);

diff --git a/src/output-json-dns.c b/src/output-json-dns.c
index 3954da2336dcfbd73cefb99c5c1bd14c7cbf5fd1..cb60a4509a3219e2cf243b86fcf790c52c27276d 100644 (file)
--- a/src/output-json-dns.c
+++ b/src/output-json-dns.c
@@ -331,7 +331,7 @@ static int JsonDoh2Logger(ThreadVars *tv, void *thread_data, const Packet *p, Fl
     }
 out:
     if (r || r2) {
-        OutputJsonBuilderBuffer(jb, td->ctx);
+        OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
     }
     jb_free(jb);
     return TM_ECODE_OK;
@@ -363,7 +363,7 @@ static int JsonDnsLoggerToServer(ThreadVars *tv, void *thread_data,
         }
         jb_close(jb);
 
-        OutputJsonBuilderBuffer(jb, td->ctx);
+        OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
         jb_free(jb);
     }
 
@@ -392,7 +392,7 @@ static int JsonDnsLoggerToClient(ThreadVars *tv, void *thread_data,
         jb_set_int(jb, "version", 2);
         SCDnsLogJsonAnswer(txptr, td->dnslog_ctx->flags, jb);
         jb_close(jb);
-        OutputJsonBuilderBuffer(jb, td->ctx);
+        OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
         jb_free(jb);
     }
 
@@ -432,7 +432,7 @@ static int JsonDnsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flo
         }
 
         if (SCDnsLogJson(txptr, td->dnslog_ctx->flags, jb)) {
-            OutputJsonBuilderBuffer(jb, td->ctx);
+            OutputJsonBuilderBuffer(tv, p, p->flow, jb, td->ctx);
         }
         jb_free(jb);
     }

diff --git a/src/output-json-drop.c b/src/output-json-drop.c
index b82c632daf653a47540e0598e1e0d8648e90bcb2..1ac27a209d2a89bd700ac7f1ec07da6961127def 100644 (file)
--- a/src/output-json-drop.c
+++ b/src/output-json-drop.c
@@ -85,7 +85,7 @@ static int g_droplog_flows_start = 1;
  *
  * \return return TM_ECODE_OK on success
  */
-static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
+static int DropLogJSON(ThreadVars *tv, JsonDropLogThread *aft, const Packet *p)
 {
     JsonDropOutputCtx *drop_ctx = aft->drop_ctx;
 
@@ -191,7 +191,7 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
         }
     }
 
-    OutputJsonBuilderBuffer(js, aft->ctx);
+    OutputJsonBuilderBuffer(tv, p, p->flow, js, aft->ctx);
     jb_free(js);
 
     return TM_ECODE_OK;
@@ -326,7 +326,7 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_
 static int JsonDropLogger(ThreadVars *tv, void *thread_data, const Packet *p)
 {
     JsonDropLogThread *td = thread_data;
-    int r = DropLogJSON(td, p);
+    int r = DropLogJSON(tv, td, p);
     if (r < 0)
         return -1;
 

diff --git a/src/output-json-file.c b/src/output-json-file.c
index 509ae488bbee1c420308dc27af09b8d94aaabdeb..e1f33893806e6507ba9932ae8209cb8b94b50879 100644 (file)
--- a/src/output-json-file.c
+++ b/src/output-json-file.c
@@ -213,8 +213,8 @@ JsonBuilder *JsonBuildFileInfoRecord(const Packet *p, const File *ff, void *tx,
  *  \internal
  *  \brief Write meta data on a single line json record
  */
-static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const File *ff, void *tx,
-        const uint64_t tx_id, uint8_t dir, OutputJsonCtx *eve_ctx)
+static void FileWriteJsonRecord(ThreadVars *tv, JsonFileLogThread *aft, const Packet *p,
+        const File *ff, void *tx, const uint64_t tx_id, uint8_t dir, OutputJsonCtx *eve_ctx)
 {
     HttpXFFCfg *xff_cfg = aft->filelog_ctx->xff_cfg != NULL ? aft->filelog_ctx->xff_cfg
                                                             : aft->filelog_ctx->parent_xff_cfg;
@@ -223,7 +223,7 @@ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const F
         return;
     }
 
-    OutputJsonBuilderBuffer(js, aft->ctx);
+    OutputJsonBuilderBuffer(tv, p, p->flow, js, aft->ctx);
     jb_free(js);
 }
 
@@ -237,7 +237,7 @@ static int JsonFileLogger(ThreadVars *tv, void *thread_data, const Packet *p, co
 
     SCLogDebug("ff %p", ff);
 
-    FileWriteJsonRecord(aft, p, ff, tx, tx_id, dir, aft->filelog_ctx->eve_ctx);
+    FileWriteJsonRecord(tv, aft, p, ff, tx, tx_id, dir, aft->filelog_ctx->eve_ctx);
     return 0;
 }
 

diff --git a/src/output-json-flow.c b/src/output-json-flow.c
index f7826734f0cb771353a4501faabcdff6fa7a5096..051d530fb1efafee2663ecaff5f4ed1788bbeb9b 100644 (file)
--- a/src/output-json-flow.c
+++ b/src/output-json-flow.c
@@ -340,7 +340,7 @@ static int JsonFlowLogger(ThreadVars *tv, void *thread_data, Flow *f)
 
     EveFlowLogJSON(thread, jb, f);
 
-    OutputJsonBuilderBuffer(jb, thread);
+    OutputJsonBuilderBuffer(tv, NULL, f, jb, thread);
     jb_free(jb);
 
     SCReturnInt(TM_ECODE_OK);

diff --git a/src/output-json-frame.c b/src/output-json-frame.c
index 09ec4aaab11003771e243366be989a1c384cb04e..90224240f43f28e2b1ef7ee3b75c9832e1c2ed9e 100644 (file)
--- a/src/output-json-frame.c
+++ b/src/output-json-frame.c
@@ -287,8 +287,8 @@ void FrameJsonLogOneFrame(const uint8_t ipproto, const Frame *frame, Flow *f,
     jb_close(jb);
 }
 
-static int FrameJsonUdp(
-        JsonFrameLogThread *aft, const Packet *p, Flow *f, FramesContainer *frames_container)
+static int FrameJsonUdp(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p, Flow *f,
+        FramesContainer *frames_container)
 {
     FrameJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
 
@@ -315,7 +315,7 @@ static int FrameJsonUdp(
 
         jb_set_string(jb, "app_proto", AppProtoToString(f->alproto));
         FrameJsonLogOneFrame(IPPROTO_UDP, frame, p->flow, NULL, p, jb, aft->payload_buffer);
-        OutputJsonBuilderBuffer(jb, aft->ctx);
+        OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
         jb_free(jb);
         frame->flags |= FRAME_FLAG_LOGGED;
     }
@@ -333,7 +333,7 @@ static int FrameJson(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p)
         return TM_ECODE_OK;
 
     if (p->proto == IPPROTO_UDP) {
-        return FrameJsonUdp(aft, p, p->flow, frames_container);
+        return FrameJsonUdp(tv, aft, p, p->flow, frames_container);
     }
 
     BUG_ON(p->proto != IPPROTO_TCP);
@@ -387,7 +387,7 @@ static int FrameJson(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p)
 
             jb_set_string(jb, "app_proto", AppProtoToString(p->flow->alproto));
             FrameJsonLogOneFrame(IPPROTO_TCP, frame, p->flow, stream, p, jb, aft->payload_buffer);
-            OutputJsonBuilderBuffer(jb, aft->ctx);
+            OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
             jb_free(jb);
             frame->flags |= FRAME_FLAG_LOGGED;
         } else if (frame != NULL) {

diff --git a/src/output-json-http.c b/src/output-json-http.c
index 0c5b875ee9adf3ad91189bf472ea055b5110707c..b45be9a45b6ba7a5959bfaf91902ca9d265fcd83 100644 (file)
--- a/src/output-json-http.c
+++ b/src/output-json-http.c
@@ -493,7 +493,7 @@ static int JsonHttpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Fl
         }
     }
 
-    OutputJsonBuilderBuffer(js, jhl->ctx);
+    OutputJsonBuilderBuffer(tv, p, p->flow, js, jhl->ctx);
     jb_free(js);
 
     SCReturnInt(TM_ECODE_OK);

diff --git a/src/output-json-ike.c b/src/output-json-ike.c
index 470026fde13bb8d46f1182804a7effb83a787c61..a13ef0e1d94496d3213c91884e1ea8bcf421f281 100644 (file)
--- a/src/output-json-ike.c
+++ b/src/output-json-ike.c
@@ -90,7 +90,7 @@ static int JsonIKELogger(ThreadVars *tv, void *thread_data, const Packet *p, Flo
         goto error;
     }
 
-    OutputJsonBuilderBuffer(jb, thread->ctx);
+    OutputJsonBuilderBuffer(tv, p, p->flow, jb, thread->ctx);
 
     jb_free(jb);
     return TM_ECODE_OK;

diff --git a/src/output-json-metadata.c b/src/output-json-metadata.c
index f97547c551b436e2191f0f9dd2d5eb3fa23514fd..2602e4b9b3efc60db6b638999ddcf1ccfab57b03 100644 (file)
--- a/src/output-json-metadata.c
+++ b/src/output-json-metadata.c
@@ -74,7 +74,7 @@ static int MetadataJson(ThreadVars *tv, OutputJsonThreadCtx *aft, const Packet *
     if (!aft->ctx->cfg.include_metadata) {
         EveAddMetadata(p, p->flow, js);
     }
-    OutputJsonBuilderBuffer(js, aft);
+    OutputJsonBuilderBuffer(tv, p, p->flow, js, aft);
 
     jb_free(js);
     return TM_ECODE_OK;

diff --git a/src/output-json-mqtt.c b/src/output-json-mqtt.c
index 66cf67a0334b48c97a646baddce8a3fe74a334ae..c912ddcc18359c7a993ef3eb6d02a993afbd7ce9 100644 (file)
--- a/src/output-json-mqtt.c
+++ b/src/output-json-mqtt.c
@@ -85,7 +85,7 @@ static int JsonMQTTLogger(ThreadVars *tv, void *thread_data,
     if (!rs_mqtt_logger_log(tx, thread->mqttlog_ctx->flags, thread->mqttlog_ctx->max_log_len, js))
         goto error;
 
-    OutputJsonBuilderBuffer(js, thread->ctx);
+    OutputJsonBuilderBuffer(tv, p, p->flow, js, thread->ctx);
     jb_free(js);
 
     return TM_ECODE_OK;

diff --git a/src/output-json-netflow.c b/src/output-json-netflow.c
index 2e359bb909c54670f2fa0ad13b888e53f6ca82c8..e448ecd33bc4802d21b77e0fccd9d0e2b6f51026 100644 (file)
--- a/src/output-json-netflow.c
+++ b/src/output-json-netflow.c
@@ -276,7 +276,7 @@ static int JsonNetFlowLogger(ThreadVars *tv, void *thread_data, Flow *f)
         return TM_ECODE_OK;
     NetFlowLogEveToServer(jb, f);
     EveAddCommonOptions(&jhl->ctx->cfg, NULL, f, jb, LOG_DIR_FLOW_TOSERVER);
-    OutputJsonBuilderBuffer(jb, jhl);
+    OutputJsonBuilderBuffer(tv, NULL, f, jb, jhl);
     jb_free(jb);
 
     /* only log a response record if we actually have seen response packets */
@@ -286,7 +286,7 @@ static int JsonNetFlowLogger(ThreadVars *tv, void *thread_data, Flow *f)
             return TM_ECODE_OK;
         NetFlowLogEveToClient(jb, f);
         EveAddCommonOptions(&jhl->ctx->cfg, NULL, f, jb, LOG_DIR_FLOW_TOCLIENT);
-        OutputJsonBuilderBuffer(jb, jhl);
+        OutputJsonBuilderBuffer(tv, NULL, f, jb, jhl);
         jb_free(jb);
     }
     SCReturnInt(TM_ECODE_OK);

diff --git a/src/output-json-nfs.c b/src/output-json-nfs.c
index 72274a6b7865028bcb089e1aa8fc2b1fc4736bd0..0b08c0e5105de732c8a3392dd15d51a7575e0111 100644 (file)
--- a/src/output-json-nfs.c
+++ b/src/output-json-nfs.c
@@ -94,7 +94,7 @@ static int JsonNFSLogger(ThreadVars *tv, void *thread_data,
     jb_close(jb);
 
     MemBufferReset(thread->buffer);
-    OutputJsonBuilderBuffer(jb, thread);
+    OutputJsonBuilderBuffer(tv, p, p->flow, jb, thread);
     jb_free(jb);
     return TM_ECODE_OK;
 }

diff --git a/src/output-json-pgsql.c b/src/output-json-pgsql.c
index 71bcd10f071d178639b52fc43a6fc8b3ec21aba8..9cba28d25d4e3d78b9be8d6ef4f6eb269d7c78c8 100644 (file)
--- a/src/output-json-pgsql.c
+++ b/src/output-json-pgsql.c
@@ -80,7 +80,7 @@ static int JsonPgsqlLogger(ThreadVars *tv, void *thread_data, const Packet *p, F
         goto error;
     }
 
-    OutputJsonBuilderBuffer(jb, thread->ctx);
+    OutputJsonBuilderBuffer(tv, p, p->flow, jb, thread->ctx);
     jb_free(jb);
 
     return TM_ECODE_OK;

diff --git a/src/output-json-smb.c b/src/output-json-smb.c
index 279ee772e8f0e84c837e908819afb3dc211213f7..4be1fce93e7226e7ceb06d7313da0f46ee7e87fc 100644 (file)
--- a/src/output-json-smb.c
+++ b/src/output-json-smb.c
@@ -59,7 +59,7 @@ static int JsonSMBLogger(ThreadVars *tv, void *thread_data,
     }
     jb_close(jb);
 
-    OutputJsonBuilderBuffer(jb, thread);
+    OutputJsonBuilderBuffer(tv, p, p->flow, jb, thread);
 
     jb_free(jb);
     return TM_ECODE_OK;

diff --git a/src/output-json-smtp.c b/src/output-json-smtp.c
index bddbc4a9fcc4ea9dcefa0fabf46a216bb47c636b..592645cb3c092fca91c63bfcc09f89d3c179bd8b 100644 (file)
--- a/src/output-json-smtp.c
+++ b/src/output-json-smtp.c
@@ -85,7 +85,7 @@ static int JsonSmtpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Fl
     jb_close(jb);
 
     EveEmailLogJson(jhl, jb, p, f, state, tx, tx_id);
-    OutputJsonBuilderBuffer(jb, jhl->ctx);
+    OutputJsonBuilderBuffer(tv, p, p->flow, jb, jhl->ctx);
 
     jb_free(jb);
 

diff --git a/src/output-json-tls.c b/src/output-json-tls.c
index aa24b3380a0daa72ebf9ca53921de88494220d10..c4ba0e249e62e50267e8df51d52cc0fc3f4a3486 100644 (file)
--- a/src/output-json-tls.c
+++ b/src/output-json-tls.c
@@ -501,7 +501,7 @@ static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
     /* Close the tls object. */
     jb_close(js);
 
-    OutputJsonBuilderBuffer(js, aft->ctx);
+    OutputJsonBuilderBuffer(tv, p, p->flow, js, aft->ctx);
     jb_free(js);
 
     return 0;

diff --git a/src/output-json.c b/src/output-json.c
index 1f411cc110b8920fda2f4ef0650b3ec882de2c6d..18376fd428a5b7bcd025ac39af58e8587974392a 100644 (file)
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -955,7 +955,8 @@ int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer)
     return 0;
 }
 
-int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
+int OutputJsonBuilderBuffer(
+        ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *js, OutputJsonThreadCtx *ctx)
 {
     LogFileCtx *file_ctx = ctx->file_ctx;
     MemBuffer **buffer = &ctx->buffer;
@@ -967,6 +968,8 @@ int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx)
         jb_set_string(js, "pcap_filename", PcapFileGetFilename());
     }
 
+    SCEveRunCallbacks(tv, p, f, js);
+
     jb_close(js);
 
     MemBufferReset(*buffer);

diff --git a/src/output-json.h b/src/output-json.h
index 761064f7e10aed9f5f52f2174d897982c48b7528..89597e616a0f51a90c37d65f7a26574a93cbe667 100644 (file)
--- a/src/output-json.h
+++ b/src/output-json.h
@@ -103,7 +103,8 @@ JsonBuilder *CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir,
 JsonBuilder *CreateEveHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir,
         const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx);
 int OutputJSONBuffer(json_t *js, LogFileCtx *file_ctx, MemBuffer **buffer);
-int OutputJsonBuilderBuffer(JsonBuilder *js, OutputJsonThreadCtx *ctx);
+int OutputJsonBuilderBuffer(
+        ThreadVars *tv, const Packet *p, Flow *f, JsonBuilder *js, OutputJsonThreadCtx *ctx);
 OutputInitResult OutputJsonInitCtx(ConfNode *);
 
 OutputInitResult OutputJsonLogInitSub(ConfNode *conf, OutputCtx *parent_ctx);

diff --git a/src/output.c b/src/output.c
index 002f33b5abc69fc7a2d615fc594637f7d789b20f..b99897509c0f19217c4cea241d2bc3318ebcb33e 100644 (file)
--- a/src/output.c
+++ b/src/output.c
@@ -927,7 +927,7 @@ static int JsonGenericLogger(ThreadVars *tv, void *thread_data, const Packet *p,
         goto error;
     }
 
-    OutputJsonBuilderBuffer(js, thread);
+    OutputJsonBuilderBuffer(tv, p, p->flow, js, thread);
     jb_free(js);
 
     return TM_ECODE_OK;