From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 30 Nov 2021 13:21:48 +0000 (+0100)
Subject: eve/ftp-data: log alert metadata in ftp-data object
X-Git-Tag: suricata-7.0.0-beta1~1129
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27dd0c6b3def8149168eda8ae93aeee082645ff1;p=thirdparty%2Fsuricata.git

eve/ftp-data: log alert metadata in ftp-data object

Ticket: 4860

instead of directly in root
---

diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
index 96b8f0518a..e93e8c467b 100644
--- a/doc/userguide/upgrade.rst
+++ b/doc/userguide/upgrade.rst
@@ -45,6 +45,7 @@ Logging changes
 ~~~~~~~~~~~~~~~
 - IKEv2 Eve logging changed, the event_type has become ``ike``. The fields ``errors`` and ``notify`` have moved to
   ``ike.ikev2.errors`` and ``ike.ikev2.notify``.
+- FTP DATA metadata for alerts are now logged in ``ftp_data`` instead of root.
 
 Other changes
 ~~~~~~~~~~~~~
diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 0ebe6fe0c1..50d9bc216d 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -519,7 +519,10 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
             }
             break;
         case ALPROTO_FTPDATA:
+            jb_get_mark(jb, &mark);
+            jb_open_object(jb, "ftp_data");
             EveFTPDataAddMetadata(p->flow, jb);
+            jb_close(jb);
             break;
         case ALPROTO_DNP3:
             AlertJsonDnp3(p->flow, tx_id, jb);