alert/eve: move logging of rule text (jsonbuilder prep)

Move the logging of the rule text to where the alert object
is being logged to remove the usage of json_object_get...

Getting previously logged objects will not be possible with
JsonBuilder.

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 13406df1571f1c3f525ef4546c25bd4bbe3a0a46..5b078fc555b9bda0a2a42b974913932e802b2ed3 100644 (file)
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -342,6 +342,10 @@ void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, json_t *
         AlertJsonMetadata(json_output_ctx, pa, ajs);
     }
 
+    if (flags & LOG_JSON_RULE) {
+        json_object_set_new(ajs, "rule", json_string(pa->s->sig_str));
+    }
+
     /* alert */
     json_object_set_new(js, "alert", ajs);
 }
@@ -561,13 +565,6 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             JsonPacket(p, js, 0);
         }
 
-        /* signature text */
-        if (json_output_ctx->flags & LOG_JSON_RULE) {
-            hjs = json_object_get(js, "alert");
-            if (json_is_object(hjs))
-                json_object_set_new(hjs, "rule", json_string(pa->s->sig_str));
-        }
-
         HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ?
             json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;;