From: Eric Leblond <eric@regit.org>
Date: Fri, 17 Apr 2015 14:34:56 +0000 (+0200)
Subject: smtp-json: update SMTP EVE messages
X-Git-Tag: suricata-3.0RC1~131
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2abae3f0a13237a3a945b058b03147b59acdc8e0;p=thirdparty%2Fsuricata.git

smtp-json: update SMTP EVE messages

This patch updates SMTP message to have them feature a 'smtp'
section which will contain all fields coming from the smtp
protocol.
---

diff --git a/src/output-json-smtp.c b/src/output-json-smtp.c
index bb835f07c3..43ac93d542 100644
--- a/src/output-json-smtp.c
+++ b/src/output-json-smtp.c
@@ -54,12 +54,32 @@
 #ifdef HAVE_LIBJANSSON
 #include <jansson.h>
 
+static json_t *JsonSmtpDataLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *vtx, uint64_t tx_id)
+{
+    json_t *sjs = json_object();
+    SMTPTransaction *tx = vtx;
+    if (sjs == NULL) {
+        return NULL;
+    }
+    if (((SMTPState *)state)->helo) {
+        json_object_set_new(sjs, "helo",
+                            json_string((const char *)((SMTPState *)state)->helo));
+    }
+    if (tx->mail_from) {
+        json_object_set_new(sjs, "mail_from",
+                            json_string((const char *)tx->mail_from));
+    }
+
+    return sjs;
+}
+
 static int JsonSmtpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flow *f, void *state, void *tx, uint64_t tx_id)
 {
     SCEnter();
     JsonEmailLogThread *jhl = (JsonEmailLogThread *)thread_data;
     MemBuffer *buffer = (MemBuffer *)jhl->buffer;
 
+    json_t *sjs;
     json_t *js = CreateJSONHeader((Packet *)p, 1, "smtp");
     if (unlikely(js == NULL))
         return TM_ECODE_OK;
@@ -67,10 +87,18 @@ static int JsonSmtpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Fl
     /* reset */
     MemBufferReset(buffer);
 
+    sjs = JsonSmtpDataLogger(tv, thread_data, p, f, state, tx, tx_id);
+    if (sjs) {
+        json_object_set_new(js, "smtp", sjs);
+    }
+
     if (JsonEmailLogJson(jhl, js, p, f, state, tx, tx_id) == TM_ECODE_OK) {
         OutputJSONBuffer(js, jhl->emaillog_ctx->file_ctx, buffer);
     }
-    json_object_del(js, "smtp");
+    json_object_del(js, "email");
+    if (sjs) {
+        json_object_del(js, "smtp");
+    }
 
     json_object_clear(js);
     json_decref(js);