From: Eric Leblond <eric@regit.org>
Date: Tue, 6 Jun 2017 16:45:52 +0000 (+0200)
Subject: doc: some more info about alert format
X-Git-Tag: suricata-4.0.0-rc1~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f4374ffd0bfce53abb04b6f415ea7d55f84eba70;p=thirdparty%2Fsuricata.git

doc: some more info about alert format
---

diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst
index 2d2a5632a2..bf69ad087f 100644
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -64,6 +64,27 @@ Example:
 
 Action is set to "allowed" unless a rule used the "drop" action and Suricata is in IPS mode, or when the rule used the "reject" action.
 
+It can also contain information about Source and Target of the attack in the alert.source and alert.target field it target keyword is used in
+the signature.
+
+::
+
+   "alert": {
+     "action": "allowed",
+     "gid": 1,
+     "signature_id": 1,
+     "rev": 1,
+     "signature": "HTTP body talking about corruption",
+     "severity": 3,
+     "source": {
+       "ip": "192.168.43.32",
+       "port": 36292
+     },
+     "target": {
+       "ip": "179.60.192.3",
+       "port": 80
+     },
+
 Event type: HTTP
 ----------------