From d28c646662f66d2a6e0633cf140220603da8b337 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Mon, 24 Jun 2024 22:11:17 +0200
Subject: [PATCH] output/dcerpc: call jb_get_mark just before jb_open_object

---
 src/output-json-alert.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 070b021ed7..22a3f7cb9f 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -385,12 +385,12 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
                 jb_restore_mark(jb, &mark);
             }
             break;
-        case ALPROTO_DCERPC:
-            jb_get_mark(jb, &mark);
+        case ALPROTO_DCERPC: {
             void *state = FlowGetAppState(p->flow);
             if (state) {
                 void *tx = AppLayerParserGetTx(p->flow->proto, proto, state, tx_id);
                 if (tx) {
+                    jb_get_mark(jb, &mark);
                     jb_open_object(jb, "dcerpc");
                     if (p->proto == IPPROTO_TCP) {
                         if (!rs_dcerpc_log_json_record_tcp(state, tx, jb)) {
@@ -405,6 +405,7 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
                 }
             }
             break;
+        }
         default:
             break;
     }
-- 
2.47.2