From: Victor Julien <victor@inliniac.net>
Date: Fri, 5 Jun 2020 05:24:40 +0000 (+0200)
Subject: eve/alert: convert decoder event logging to jsonbuilder
X-Git-Tag: suricata-6.0.0-beta1~354
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0db3ee26d0d61a5d89d3cfb4f83f06d8d88c2998;p=thirdparty%2Fsuricata.git

eve/alert: convert decoder event logging to jsonbuilder
---

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 004c2ddbaa..f6c938dfc8 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -650,6 +650,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
 
 static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
 {
+    AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
     char timebuf[64];
 
     if (p->alerts.cnt == 0)
@@ -665,44 +666,18 @@ static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const
             continue;
         }
 
-        const char *action = "allowed";
-        if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) {
-            action = "blocked";
-        } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) {
-            action = "blocked";
-        }
-
-        json_t *js = json_object();
-        if (js == NULL)
-            return TM_ECODE_OK;
-
-        json_t *ajs = json_object();
-        if (ajs == NULL) {
-            json_decref(js);
+        JsonBuilder *jb = jb_new_object();
+        if (unlikely(jb == NULL)) {
             return TM_ECODE_OK;
         }
 
-        /* time & tx */
-        json_object_set_new(js, "timestamp", json_string(timebuf));
-
-        json_object_set_new(ajs, "action", json_string(action));
-        json_object_set_new(ajs, "gid", json_integer(pa->s->gid));
-        json_object_set_new(ajs, "signature_id", json_integer(pa->s->id));
-        json_object_set_new(ajs, "rev", json_integer(pa->s->rev));
-        json_object_set_new(ajs, "signature",
-                            json_string((pa->s->msg) ? pa->s->msg : ""));
-        json_object_set_new(ajs, "category",
-                            json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
-        json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
+        /* just the timestamp, no tuple */
+        jb_set_string(jb, "timestamp", timebuf);
 
-        if (p->tenant_id > 0)
-            json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id));
+        AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, NULL);
 
-        /* alert */
-        json_object_set_new(js, "alert", ajs);
-        OutputJSONBuffer(js, aft->file_ctx, &aft->json_buffer);
-        json_object_clear(js);
-        json_decref(js);
+        OutputJsonBuilderBuffer(jb, aft->file_ctx, &aft->json_buffer);
+        jb_free(jb);
     }
 
     return TM_ECODE_OK;