From: Joyce Yu <joyce.yu@cyber.gc.ca>
Date: Mon, 17 Mar 2025 18:57:48 +0000 (-0400)
Subject: Doc: update eve-json-output ethernet description
X-Git-Tag: suricata-8.0.0-beta1~255
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dac0d6371e620c23bc96d2912fcd7494234587f1;p=thirdparty%2Fsuricata.git

Doc: update eve-json-output ethernet description

Document getting mac addresses from flow when flow timeout.
---

diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst
index 7700725105..7ebda748d0 100644
--- a/doc/userguide/output/eve/eve-json-output.rst
+++ b/doc/userguide/output/eve/eve-json-output.rst
@@ -15,7 +15,9 @@ Each alert, http log, etc will go into this one file: 'eve.json'. This file
 can then be processed by 3rd party tools like Logstash (ELK) or jq.
 
 If ``ethernet`` is set to yes, then ethernet headers will be added to events
-if available.
+if available. If the ``pkt_src`` value is ``stream (flow timeout)``, then the
+``ethernet`` value will be populated with mac addresses from the flow's first
+packet with ethernet header.
 
 Output Buffering
 ~~~~~~~~~~~~~~~~