From: Philippe Antoine <pantoine@oisf.net>
Date: Mon, 26 Dec 2022 20:07:36 +0000 (+0100)
Subject: flow: complete stats for app_layer protocol counters
X-Git-Tag: suricata-7.0.0-rc1~180
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27d2bce1a1a0aae0b69f390a673afbb85bf68b42;p=thirdparty%2Fsuricata.git

flow: complete stats for app_layer protocol counters

In the case of a gap, or in the case of a flow where one side
is recognized, but the other is not before the end, we still
increase the counters to have consistency between

jq 'select(.event_type=="flow" and .app_proto=="ftp") | .app_proto'  log/eve.json | wc -l
jq 'select(.event_type=="stats") | .stats."app_layer".flow.ftp' log/eve.json

Ticket: #5769
---

diff --git a/src/app-layer.c b/src/app-layer.c
index 60f0ef5ddc..8b5f307cda 100644
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -603,6 +603,10 @@ static int TCPProtoDetect(ThreadVars *tv,
                 AppLayerIncFlowCounter(tv, f);
                 FlagPacketFlow(p, f, flags);
 
+            } else if (flags & STREAM_EOF) {
+                *alproto = f->alproto;
+                StreamTcpSetStreamFlagAppProtoDetectionCompleted(*stream);
+                AppLayerIncFlowCounter(tv, f);
             }
         } else {
             /* both sides unknown, let's see if we need to give up */
@@ -676,6 +680,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
             if (f->alproto == ALPROTO_UNKNOWN) {
                 goto failure;
             }
+            AppLayerIncFlowCounter(tv, f);
         }
         if (FlowChangeProto(f)) {
             FlowUnsetChangeProtoFlag(f);