From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Tue, 31 Jan 2017 14:02:21 +0000 (+0100)
Subject: output-json-tls: log 'from_proto' field
X-Git-Tag: suricata-4.0.0-beta1~98
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=74aa65073b01d72e027e6abe696b3298c3f7ac2b;p=thirdparty%2Fsuricata.git

output-json-tls: log 'from_proto' field

Log the original application level protocol when protocol have been
changed because of STARTTLS, HTTP CONNECT or similar.
---

diff --git a/src/output-json-tls.c b/src/output-json-tls.c
index 5184373d65..3bdd481621 100644
--- a/src/output-json-tls.c
+++ b/src/output-json-tls.c
@@ -383,6 +383,13 @@ static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
         JsonTlsLogJSONBasic(tjs, ssl_state);
     }
 
+    /* print original application level protocol when it have been changed
+       because of STARTTLS, HTTP CONNECT, or similar. */
+    if (f->alproto_orig != ALPROTO_UNKNOWN) {
+        json_object_set_new(tjs, "from_proto",
+                json_string(AppLayerGetProtoName(f->alproto_orig)));
+    }
+
     json_object_set_new(js, "tls", tjs);
 
     OutputJSONBuffer(js, tls_ctx->file_ctx, &aft->buffer);