From: Eric Leblond <eric@regit.org>
Date: Thu, 22 Jun 2017 07:20:05 +0000 (+0200)
Subject: doc: info about new config for alert events in EVE
X-Git-Tag: suricata-4.0.0-rc1~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e581436a7d47043ec9264fdfe76ee19a4766b53;p=thirdparty%2Fsuricata.git

doc: info about new config for alert events in EVE
---

diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst
index 84580e0c70..c39432b272 100644
--- a/doc/userguide/output/eve/eve-json-output.rst
+++ b/doc/userguide/output/eve/eve-json-output.rst
@@ -163,10 +163,22 @@ Metadata::
             # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
             # payload-printable: yes   # enable dumping payload in printable (lossy) format
             # packet: yes              # enable dumping of packet (without stream segments)
+            metadata: yes              # add L7/applayer fields, flowbit and other vars to the alert
+
+Alternatively to the `metadata` key it is also possible to select the application
+layer metadata to output on a per application layer basis ::
+
+        - alert:
             http: yes                # enable dumping of http fields
             tls: yes                 # enable dumping of tls fields
             ssh: yes                 # enable dumping of ssh fields
             smtp: yes                # enable dumping of smtp fields
+            dnp3: yes                # enable dumping of dnp3 fields
+            flow: yes                # enable dumping of a partial flow entry
+            vars: yes                # enable dumping of flowbits and other vars
+
+The `vars` will enable dumping of a set of key/value based on flowbits and other vars
+such as named groups in regular expression.
 
 DNS
 ~~~