doc: document flow event_type

diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst
index 5b85a9104f35396069bd79f89c0924060ec1b9e4..a20c22d8538a514902bf09240c2e94d723f4876f 100644 (file)
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -860,3 +860,47 @@ Example of SSH logging:
         "software_version": "OpenSSH_6.7",
      }
   }
+
+Event type: Flow
+----------------
+
+Fields
+~~~~~~
+
+* "pkts_toserver": total number of packets to server, include bypassed packets
+* "pkts_toclient": total number of packets to client
+* "bytes_toserver": total bytes count to server
+* "bytes_toclient": total bytes count to client
+* "bypassed.pkts_toserver": number of bypassed packets to server
+* "bypassed.pkts_toclient": number of bypassed packets to client
+* "bypassed.bytes_toserver": bypassed bytes count to server
+* "bypassed.bytes_toclient": bypassed bytes count to client
+* "start": date of start of the flow
+* "end": date of end of flow (last seen packet)
+* "age": duration of the flow
+* "bypass": if the flow has been bypassed, it is set to "local" (internal bypass) or "capture"
+* "state": display state of the flow (include "new", "established", "closed", "bypassed")
+* "reason": mechanism that did trigger the end of the flow (include "timeout", "forced" and "shutdown")
+* "alerted": "true" or "false" depending if an alert has been seen on flow
+
+Example ::
+
+  "flow": {
+    "pkts_toserver": 23,
+    "pkts_toclient": 21,
+    "bytes_toserver": 4884,
+    "bytes_toclient": 7392,
+    "bypassed": {
+      "pkts_toserver": 10,
+      "pkts_toclient": 8,
+      "bytes_toserver": 1305,
+      "bytes_toclient": 984
+    },
+    "start": "2019-05-28T23:32:29.025256+0200",
+    "end": "2019-05-28T23:35:28.071281+0200",
+    "age": 179,
+    "bypass": "capture",
+    "state": "bypassed",
+    "reason": "timeout",
+    "alerted": false
+  }