From: Victor Julien <victor@inliniac.net>
Date: Fri, 5 May 2017 08:54:06 +0000 (+0200)
Subject: eve.flow: log original and expected app_protocols
X-Git-Tag: suricata-4.0.0-beta1~91
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9c071d1724797466853da1d8f27481e9dd42a2c4;p=thirdparty%2Fsuricata.git

eve.flow: log original and expected app_protocols

Log protocols if they are available.
---

diff --git a/src/output-json-flow.c b/src/output-json-flow.c
index 5df87d842f..19f94bab3c 100644
--- a/src/output-json-flow.c
+++ b/src/output-json-flow.c
@@ -198,6 +198,14 @@ static void JsonFlowLogJSON(JsonFlowLogThread *aft, json_t *js, Flow *f)
         json_object_set_new(js, "app_proto_tc",
                 json_string(AppProtoToString(f->alproto_tc)));
     }
+    if (f->alproto_orig != f->alproto && f->alproto_orig != ALPROTO_UNKNOWN) {
+        json_object_set_new(js, "app_proto_orig",
+                json_string(AppProtoToString(f->alproto_orig)));
+    }
+    if (f->alproto_expect != f->alproto && f->alproto_expect != ALPROTO_UNKNOWN) {
+        json_object_set_new(js, "app_proto_expected",
+                json_string(AppProtoToString(f->alproto_expect)));
+    }
 
     json_object_set_new(hjs, "pkts_toserver",
             json_integer(f->todstpktcnt));