From: Jason Ish Date: Thu, 25 Jan 2018 20:55:55 +0000 (-0600) Subject: eve/metadata: log flowvars as a list of k/v pairs X-Git-Tag: suricata-4.1.0-beta1~251 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b659222ea02a2047b861bcb263f21063b442740c;p=thirdparty%2Fsuricata.git eve/metadata: log flowvars as a list of k/v pairs To match the pktvars output. --- diff --git a/src/output-json.c b/src/output-json.c index 6b12a1eedf..e32d4af429 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -203,7 +203,7 @@ static void JsonAddFlowVars(const Flow *f, json_t *js_root, json_t **js_traffic) VAR_TYPE_FLOW_VAR); if (varname) { if (js_flowvars == NULL) { - js_flowvars = json_object(); + js_flowvars = json_array(); if (js_flowvars == NULL) break; } @@ -215,12 +215,17 @@ static void JsonAddFlowVars(const Flow *f, json_t *js_root, json_t **js_traffic) sizeof(printable_buf), fv->data.fv_str.value, fv->data.fv_str.value_len); - json_object_set_new(js_flowvars, varname, + json_t *js_flowvar = json_object(); + if (unlikely(js_flowvar == NULL)) { + break; + } + json_object_set_new(js_flowvar, varname, json_string((char *)printable_buf)); + json_array_append_new(js_flowvars, js_flowvar); } } else if (fv->datatype == FLOWVAR_TYPE_STR && fv->key != NULL) { if (js_flowvars == NULL) { - js_flowvars = json_object(); + js_flowvars = json_array(); if (js_flowvars == NULL) break; } @@ -238,9 +243,13 @@ static void JsonAddFlowVars(const Flow *f, json_t *js_root, json_t **js_traffic) sizeof(printable_buf), fv->data.fv_str.value, fv->data.fv_str.value_len); - json_object_set_new(js_flowvars, (const char *)keybuf, + json_t *js_flowvar = json_object(); + if (unlikely(js_flowvar == NULL)) { + break; + } + json_object_set_new(js_flowvar, (const char *)keybuf, json_string((char *)printable_buf)); - + json_array_append_new(js_flowvars, js_flowvar); } else if (fv->datatype == FLOWVAR_TYPE_INT) { const char *varname = VarNameStoreLookupById(fv->idx, VAR_TYPE_FLOW_INT);