From: Jason Ish <ish@unx.ca>
Date: Mon, 11 Dec 2017 21:50:25 +0000 (-0600)
Subject: eve: alert: global metadata config
X-Git-Tag: suricata-4.1.0-beta1~260
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a05160353a744be68037e12b557ac0d58f07ba1;p=thirdparty%2Fsuricata.git

eve: alert: global metadata config

Also, remove vars as a subtype. Adding the top level metadata
field is an eve lebel parameter, not alert now.
---

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index f2170929c8..8a0ef7a266 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -86,13 +86,12 @@
 #define LOG_JSON_SMTP              BIT_U16(6)
 #define LOG_JSON_TAGGED_PACKETS    BIT_U16(7)
 #define LOG_JSON_DNP3              BIT_U16(8)
-#define LOG_JSON_VARS              BIT_U16(9)
-#define LOG_JSON_APP_LAYER         BIT_U16(10)
-#define LOG_JSON_FLOW              BIT_U16(11)
-#define LOG_JSON_HTTP_BODY         BIT_U16(12)
-#define LOG_JSON_HTTP_BODY_BASE64  BIT_U16(13)
+#define LOG_JSON_APP_LAYER         BIT_U16(9)
+#define LOG_JSON_FLOW              BIT_U16(10)
+#define LOG_JSON_HTTP_BODY         BIT_U16(11)
+#define LOG_JSON_HTTP_BODY_BASE64  BIT_U16(12)
 
-#define LOG_JSON_METADATA_ALL  (LOG_JSON_APP_LAYER|LOG_JSON_HTTP|LOG_JSON_TLS|LOG_JSON_SSH|LOG_JSON_SMTP|LOG_JSON_DNP3|LOG_JSON_VARS|LOG_JSON_FLOW)
+#define LOG_JSON_METADATA_ALL  (LOG_JSON_APP_LAYER|LOG_JSON_HTTP|LOG_JSON_TLS|LOG_JSON_SSH|LOG_JSON_SMTP|LOG_JSON_DNP3|LOG_JSON_FLOW)
 
 #define JSON_STREAM_BUFFER_SIZE 4096
 
@@ -101,6 +100,7 @@ typedef struct AlertJsonOutputCtx_ {
     uint16_t flags;
     uint32_t payload_buffer_size;
     HttpXFFCfg *xff_cfg;
+    bool include_metadata;
 } AlertJsonOutputCtx;
 
 typedef struct JsonAlertLogThread_ {
@@ -356,6 +356,10 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
     if (unlikely(js == NULL))
         return TM_ECODE_OK;
 
+    if (json_output_ctx->include_metadata) {
+        JsonAddMetadata(p, p->flow, js);
+    }
+
     for (i = 0; i < p->alerts.cnt; i++) {
         const PacketAlert *pa = &p->alerts.alerts[i];
         if (unlikely(pa->s == NULL)) {
@@ -456,10 +460,6 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             }
         }
 
-        if (json_output_ctx->flags & LOG_JSON_VARS) {
-            JsonAddVars(p, p->flow, js);
-        }
-
         if (p->flow) {
             if (json_output_ctx->flags & LOG_JSON_FLOW) {
                 hjs = json_object();
@@ -786,7 +786,6 @@ static void XffSetup(AlertJsonOutputCtx *json_output_ctx, ConfNode *conf)
     if (conf != NULL) {
         SetFlag(conf, "metadata", LOG_JSON_METADATA_ALL, &json_output_ctx->flags);
         SetFlag(conf, "flow", LOG_JSON_FLOW, &json_output_ctx->flags);
-        SetFlag(conf, "vars", LOG_JSON_VARS, &json_output_ctx->flags);
 
         SetFlag(conf, "http", LOG_JSON_HTTP, &json_output_ctx->flags);
         SetFlag(conf, "tls",  LOG_JSON_TLS,  &json_output_ctx->flags);
@@ -888,6 +887,7 @@ static OutputInitResult JsonAlertLogInitCtxSub(ConfNode *conf, OutputCtx *parent
     memset(json_output_ctx, 0, sizeof(AlertJsonOutputCtx));
 
     json_output_ctx->file_ctx = ajt->file_ctx;
+    json_output_ctx->include_metadata = ajt->include_metadata;
 
     XffSetup(json_output_ctx, conf);