From 5597801ccbb49c56cd48bf5c49bf974df0b9fcb4 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 6 Dec 2019 08:58:56 +0100
Subject: [PATCH] perf: optimizes alert fast log

In the case when we have multiple alerts for one packet
We suppose this happens more often than having decoder_event != 0
---
 src/alert-fastlog.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/alert-fastlog.c b/src/alert-fastlog.c
index 46f4f7ed3b..f1cd686417 100644
--- a/src/alert-fastlog.c
+++ b/src/alert-fastlog.c
@@ -128,6 +128,18 @@ int AlertFastLogger(ThreadVars *tv, void *data, const Packet *p)
      */
     char alert_buffer[MAX_FASTLOG_BUFFER_SIZE];
 
+    char proto[16] = "";
+    if (SCProtoNameValid(IP_GET_IPPROTO(p)) == TRUE) {
+        strlcpy(proto, known_proto[IP_GET_IPPROTO(p)], sizeof(proto));
+    } else {
+        snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, IP_GET_IPPROTO(p));
+    }
+    uint16_t src_port_or_icmp = p->sp;
+    uint16_t dst_port_or_icmp = p->dp;
+    if (IP_GET_IPPROTO(p) == IPPROTO_ICMP || IP_GET_IPPROTO(p) == IPPROTO_ICMPV6) {
+        src_port_or_icmp = p->icmp_s.type;
+        dst_port_or_icmp = p->icmp_s.code;
+    }
     for (i = 0; i < p->alerts.cnt; i++) {
         const PacketAlert *pa = &p->alerts.alerts[i];
         if (unlikely(pa->s == NULL)) {
@@ -144,18 +156,6 @@ int AlertFastLogger(ThreadVars *tv, void *data, const Packet *p)
         /* Create the alert string without locking. */
         int size = 0;
         if (likely(decoder_event == 0)) {
-            char proto[16] = "";
-            if (SCProtoNameValid(IP_GET_IPPROTO(p)) == TRUE) {
-                strlcpy(proto, known_proto[IP_GET_IPPROTO(p)], sizeof(proto));
-            } else {
-                snprintf(proto, sizeof(proto), "PROTO:%03" PRIu32, IP_GET_IPPROTO(p));
-            }
-            uint16_t src_port_or_icmp = p->sp;
-            uint16_t dst_port_or_icmp = p->dp;
-            if (IP_GET_IPPROTO(p) == IPPROTO_ICMP || IP_GET_IPPROTO(p) == IPPROTO_ICMPV6) {
-                src_port_or_icmp = p->icmp_s.type;
-                dst_port_or_icmp = p->icmp_s.code;
-            }
             PrintBufferData(alert_buffer, &size, MAX_FASTLOG_ALERT_SIZE,
                             "%s  %s[**] [%" PRIu32 ":%" PRIu32 ":%"
                             PRIu32 "] %s [**] [Classification: %s] [Priority: %"PRIu32"]"
-- 
2.47.2