From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Sat, 25 May 2019 12:51:56 +0000 (-0700)
Subject: userguide: ftp formatting updates
X-Git-Tag: suricata-5.0.0-rc1~194
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c68510437f4ebf0582fcbc73240ab742ed4aec21;p=thirdparty%2Fsuricata.git

userguide: ftp formatting updates
---

diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst
index 338f9aadfa..e255a7c3e6 100644
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -542,7 +542,8 @@ Fields
 * "command": The FTP command.
 * "command_data": The data accompanying the command.
 * "reply": The command reply, which may contain multiple lines, in array format.
-* "completion_code": The 3-digit completion code. The first digit indicates whether the response is good, bad or incomplete.
+* "completion_code": The 3-digit completion code. The first digit indicates whether the response is good, bad or incomplete. This
+  is also in array format and may contain multiple completion codes matching multiple reply lines.
 * "dynamic_port": The dynamic port established for subsequent data transfers, when applicable, with a "PORT" or "EPRT" command.
 * "mode": The type of FTP connection. Most connections are "passive" but may be "active".
 * "reply_received": Indicates whether a response was matched to the command. In some non-typical cases, a command may lack a response.
@@ -557,15 +558,17 @@ Example of regular FTP logging:
 
   "ftp": {
     "command": "RETR",
-    "command_data": "index.html",
+    "command_data": "100KB.zip",
     "reply": [
-      "Opening BINARY mode data connection for index.html (6712 bytes)",
-      "Transfer complete"
+      "Opening BINARY mode data connection for 100KB.zip (102400 bytes).",
+      "Transfer complete."
+    ],
+    "completion_code": [
+      "150",
+      "226"
     ],
-    "completion_code": "150"
-  }
 
-Example showing all fields
+Example showing all fields:
 
 ::
 
@@ -573,11 +576,14 @@ Example showing all fields
     "command": "EPRT",
     "command_data": "|2|2a01:e34:ee97:b130:8c3e:45ea:5ac6:e301|41813|",
     "reply": [
-      "EPRT command successful. Consider using EPSV"
+      "EPRT command successful. Consider using EPSV."
+    ],
+    "completion_code": [
+      "200"
     ],
-    "reply_code": "200",
     "dynamic_port": 41813,
-    "mode": "active"
+    "mode": "active",
+    "reply_received": "yes"
   }
 
 Event type: FTP_DATA
@@ -589,7 +595,6 @@ Fields
 * "command": The FTP command associated with the event.
 * "filename": The name of the involved file.
 
-
 Examples
 ~~~~~~~~