git.ipfire.org Git - thirdparty/suricata.git/commit

author	Eric Leblond <el@stamus-networks.com>
	Sat, 29 Mar 2025 07:49:12 +0000 (08:49 +0100)
committer	Victor Julien <victor@inliniac.net>
	Wed, 11 Jun 2025 18:49:18 +0000 (20:49 +0200)
commit	3dde17fb75d131013ca586d82a184d3194245feb
tree	207ae48c1a18f962376fb8785be797f61222c5eb	tree
parent	0ae88a408a898bc8577762cc6c00ff0427fa058e	commit \| diff

datajson: add remove_key option to dataset

This option allows to remove the key corresponding to the match
value from the JSON object before creating the JSON object that
will be added to the `extra` data.

For example, matching on the following JSON on the `ip` key:

```json
{"ip": "10.16.1.11", "test": "success", "context":3}
```

with a match like:

```
dataset:isset,src_ip,type ip,load src.lst,format jsonline,enrichment_key src_ip,value_key ip;
```

will produce the following:

```json
"extra": {
  "src_ip": {
    "ip": "10.16.1.11",
    "test": "success",
    "context": 3
  }
```

if we add the `remove_key` option to the match:

```
dataset:isset,src_ip,type ip,load src.lst,format jsonline,enrichment_key src_ip,value_key ip, remove_key;
```

it will produce the following:

```json
"extra": {
  "src_ip": {
    "test": "success",
    "context": 3
  }
```

The option is set to false by default.

Ticket: #7372

src/datajson.c		diff \| blob \| blame \| history
src/datajson.h		diff \| blob \| blame \| history
src/datasets.h		diff \| blob \| blame \| history
src/detect-dataset.c		diff \| blob \| blame \| history