ftp: do not set alproto if one was already found

Ticket: 4857

If a pattern such as GET is seen ine the beginning of the
file transferred over ftp-data, this flow will get recognized
as HTTP, and a HTTP state will be created during parsing.

Thus, we cannot override directly alproto's values

This solves the segfault, but not the logical bug that the flow
should be classified as FTP-DATA instead of HTTP

(cherry picked from commit dd32238667f08c7211ae4fa27cfe43af7cffd52d)

diff --git a/src/app-layer-expectation.c b/src/app-layer-expectation.c
index 00ff035db7413b9a614e513a77c9fcaa0dbcf23d..c920a1999115880b6e2e239d531d0016310b30da 100644 (file)
--- a/src/app-layer-expectation.c
+++ b/src/app-layer-expectation.c
@@ -322,8 +322,12 @@ AppProto AppLayerExpectationHandle(Flow *f, uint8_t flags)
         if ((exp->direction & flags) && ((exp->sp == 0) || (exp->sp == f->sp)) &&
                 ((exp->dp == 0) || (exp->dp == f->dp))) {
             alproto = exp->alproto;
-            f->alproto_ts = alproto;
-            f->alproto_tc = alproto;
+            if (f->alproto_ts == ALPROTO_UNKNOWN) {
+                f->alproto_ts = alproto;
+            }
+            if (f->alproto_tc == ALPROTO_UNKNOWN) {
+                f->alproto_tc = alproto;
+            }
             void *fdata = FlowGetStorageById(f, g_expectation_data_id);
             if (fdata) {
                 /* We already have an expectation so let's clean this one */