From: Jason Ish <jason.ish@oisf.net>
Date: Sun, 15 Mar 2020 15:50:45 +0000 (-0600)
Subject: flow/eve: separate flow and app_proto logging (jsonbuilder prep)
X-Git-Tag: suricata-6.0.0-beta1~390
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5ab673aee2a36b10e9b9d3c017bdec0979e661ce;p=thirdparty%2Fsuricata.git

flow/eve: separate flow and app_proto logging (jsonbuilder prep)

Currently the flow logger also logs app_proto information,
but not to the flow object, but instead to the root object
of the log record.

Refactor into 2 separate methods, one for the app_proto
and one for the flow, to make this more clear, as well
as make it easier to refactor for JsonBuilder as JsonBuilder
can only write to the currently open object.
---

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 497d09b230..2b955c050e 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -530,15 +530,13 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
         }
 
         if (p->flow) {
+            JsonAddAppProto(p->flow, js);
             if (json_output_ctx->flags & LOG_JSON_FLOW) {
                 hjs = json_object();
                 if (hjs != NULL) {
-                    JsonAddFlow(p->flow, js, hjs);
+                    JsonAddFlow(p->flow, hjs);
                     json_object_set_new(js, "flow", hjs);
                 }
-            } else {
-                json_object_set_new(js, "app_proto",
-                        json_string(AppProtoToString(p->flow->alproto)));
             }
         }
 
diff --git a/src/output-json-flow.c b/src/output-json-flow.c
index 171b9424d9..6f58b5da99 100644
--- a/src/output-json-flow.c
+++ b/src/output-json-flow.c
@@ -177,7 +177,7 @@ static json_t *CreateJSONHeaderFromFlow(const Flow *f, const char *event_type)
     return js;
 }
 
-void JsonAddFlow(Flow *f, json_t *js, json_t *hjs)
+void JsonAddAppProto(Flow *f, json_t *js)
 {
     json_object_set_new(js, "app_proto",
             json_string(AppProtoToString(f->alproto)));
@@ -198,42 +198,46 @@ void JsonAddFlow(Flow *f, json_t *js, json_t *hjs)
                 json_string(AppProtoToString(f->alproto_expect)));
     }
 
+}
+
+void JsonAddFlow(Flow *f, json_t *js)
+{
     FlowBypassInfo *fc = FlowGetStorageById(f, GetFlowBypassInfoID());
     if (fc) {
-        json_object_set_new(hjs, "pkts_toserver",
+        json_object_set_new(js, "pkts_toserver",
                 json_integer(f->todstpktcnt + fc->todstpktcnt));
-        json_object_set_new(hjs, "pkts_toclient",
+        json_object_set_new(js, "pkts_toclient",
                 json_integer(f->tosrcpktcnt + fc->tosrcpktcnt));
-        json_object_set_new(hjs, "bytes_toserver",
+        json_object_set_new(js, "bytes_toserver",
                 json_integer(f->todstbytecnt + fc->todstbytecnt));
-        json_object_set_new(hjs, "bytes_toclient",
+        json_object_set_new(js, "bytes_toclient",
                 json_integer(f->tosrcbytecnt + fc->tosrcbytecnt));
-        json_t *bhjs = json_object();
-        if (bhjs != NULL) {
-            json_object_set_new(bhjs, "pkts_toserver",
+        json_t *bjs = json_object();
+        if (bjs != NULL) {
+            json_object_set_new(bjs, "pkts_toserver",
                     json_integer(fc->todstpktcnt));
-            json_object_set_new(bhjs, "pkts_toclient",
+            json_object_set_new(bjs, "pkts_toclient",
                     json_integer(fc->tosrcpktcnt));
-            json_object_set_new(bhjs, "bytes_toserver",
+            json_object_set_new(bjs, "bytes_toserver",
                     json_integer(fc->todstbytecnt));
-            json_object_set_new(bhjs, "bytes_toclient",
+            json_object_set_new(bjs, "bytes_toclient",
                     json_integer(fc->tosrcbytecnt));
-            json_object_set_new(hjs, "bypassed", bhjs);
+            json_object_set_new(js, "bypassed", bjs);
         }
     } else {
-        json_object_set_new(hjs, "pkts_toserver",
+        json_object_set_new(js, "pkts_toserver",
                 json_integer(f->todstpktcnt));
-        json_object_set_new(hjs, "pkts_toclient",
+        json_object_set_new(js, "pkts_toclient",
                 json_integer(f->tosrcpktcnt));
-        json_object_set_new(hjs, "bytes_toserver",
+        json_object_set_new(js, "bytes_toserver",
                 json_integer(f->todstbytecnt));
-        json_object_set_new(hjs, "bytes_toclient",
+        json_object_set_new(js, "bytes_toclient",
                 json_integer(f->tosrcbytecnt));
     }
 
     char timebuf1[64];
     CreateIsoTimeString(&f->startts, timebuf1, sizeof(timebuf1));
-    json_object_set_new(hjs, "start", json_string(timebuf1));
+    json_object_set_new(js, "start", json_string(timebuf1));
 }
 
 /* JSON format logging */
@@ -245,7 +249,8 @@ static void JsonFlowLogJSON(JsonFlowLogThread *aft, json_t *js, Flow *f)
         return;
     }
 
-    JsonAddFlow(f, js, hjs);
+    JsonAddAppProto(f, js);
+    JsonAddFlow(f, hjs);
 
     char timebuf2[64];
     CreateIsoTimeString(&f->lastts, timebuf2, sizeof(timebuf2));
diff --git a/src/output-json-flow.h b/src/output-json-flow.h
index 8af35ed041..d4b017b522 100644
--- a/src/output-json-flow.h
+++ b/src/output-json-flow.h
@@ -25,6 +25,7 @@
 #define __OUTPUT_JSON_FLOW_H__
 
 void JsonFlowLogRegister(void);
-void JsonAddFlow(Flow *f, json_t *js, json_t *hjs);
+void JsonAddFlow(Flow *f, json_t *js);
+void JsonAddAppProto(Flow *f, json_t *js);
 
 #endif /* __OUTPUT_JSON_FLOW_H__ */