json-alert: add smtp elements in alert

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index e357d2c9d9ee9903de0b2b1e29c2668d5806978f..61780075f5293bc6e8a70486edfdef535e5178cd 100644 (file)
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -54,6 +54,7 @@
 #include "output-json-http.h"
 #include "output-json-tls.h"
 #include "output-json-ssh.h"
+#include "output-json-smtp.h"
 
 #include "util-byte.h"
 #include "util-privs.h"
@@ -74,6 +75,7 @@
 #define LOG_JSON_HTTP 8
 #define LOG_JSON_TLS 16
 #define LOG_JSON_SSH 32
+#define LOG_JSON_SMTP 64
 
 #define JSON_STREAM_BUFFER_SIZE 4096
 
@@ -237,6 +239,22 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             }
         }
 
+        if (json_output_ctx->flags & LOG_JSON_SMTP) {
+            if (p->flow != NULL) {
+                FLOWLOCK_RDLOCK(p->flow);
+                uint16_t proto = FlowGetAppProtocol(p->flow);
+
+                /* http alert */
+                if (proto == ALPROTO_SMTP) {
+                    hjs = JsonSMTPAddMetadata(p->flow);
+                    if (hjs)
+                        json_object_set_new(js, "smtp", hjs);
+                }
+
+                FLOWLOCK_UNLOCK(p->flow);
+            }
+        }
+
         /* payload */
         if (json_output_ctx->flags & (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64)) {
             int stream = (p->proto == IPPROTO_TCP) ?
@@ -586,6 +604,7 @@ static OutputCtx *JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
         const char *http = ConfNodeLookupChildValue(conf, "http");
         const char *tls = ConfNodeLookupChildValue(conf, "tls");
         const char *ssh = ConfNodeLookupChildValue(conf, "ssh");
+        const char *smtp = ConfNodeLookupChildValue(conf, "smtp");
 
         if (ssh != NULL) {
             if (ConfValIsTrue(ssh)) {
@@ -602,6 +621,11 @@ static OutputCtx *JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ctx)
                 json_output_ctx->flags |= LOG_JSON_HTTP;
             }
         }
+        if (smtp != NULL) {
+            if (ConfValIsTrue(smtp)) {
+                json_output_ctx->flags |= LOG_JSON_SMTP;
+            }
+        }
         if (payload_printable != NULL) {
             if (ConfValIsTrue(payload_printable)) {
                 json_output_ctx->flags |= LOG_JSON_PAYLOAD;

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 7767620cda92fd42adb3a4a8351f28717e75b6d7..e0b5538c4e861dbdb858cc7d6c39aa949af3289e 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -108,6 +108,7 @@ outputs:
             # http: yes              # enable dumping of http fields
             # tls: yes               # enable dumping of tls fields
             # ssh: yes               # enable dumping of ssh fields
+            # smtp: yes              # enable dumping of smtp fields
 
             # HTTP X-Forwarded-For support by adding an extra field or overwriting
             # the source or destination IP address (depending on flow direction)