eve: add ip version field

Adds the field `ip_v` (integer) to the common fields of EVE.
To facilitate searches based on IP version, for instance.

Task #7047

diff --git a/etc/schema.json b/etc/schema.json
index 4919a8f7fa02424ad3bd44b5448060d2d6c466e0..57624ec066a255ba2c1829d88a83c9060c27d557 100644 (file)
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -54,6 +54,10 @@
         "in_iface": {
             "type": "string"
         },
+        "ip_v": {
+            "type": "integer",
+            "description": "IP version of the packet or flow"
+        },
         "log_level": {
             "type": "string"
         },

diff --git a/src/output-json-flow.c b/src/output-json-flow.c
index 91fcf34bb535c105f928411af0fa1e252afff275..a57160c602b55d3f78ae0f6ff3bcb95d8f89caaa 100644 (file)
--- a/src/output-json-flow.c
+++ b/src/output-json-flow.c
@@ -143,6 +143,13 @@ static SCJsonBuilder *CreateEveHeaderFromFlow(const Flow *f)
             break;
     }
 
+    /* ip version */
+    if (FLOW_IS_IPV4(f)) {
+        SCJbSetUint(jb, "ip_v", 4);
+    } else if (FLOW_IS_IPV6(f)) {
+        SCJbSetUint(jb, "ip_v", 6);
+    }
+
     if (SCProtoNameValid(f->proto)) {
         SCJbSetString(jb, "proto", known_proto[f->proto]);
     } else {

diff --git a/src/output-json.c b/src/output-json.c
index 3c39d72bde20c3abb76d236a35994062d230f505..512274eeb59f4779fbd98212f530798039ea940c 100644 (file)
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -902,6 +902,13 @@ SCJsonBuilder *CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection di
         SCJbSetString(js, "proto", addr->proto);
     }
 
+    /* ip version */
+    if (PacketIsIPv4(p)) {
+        SCJbSetUint(js, "ip_v", 4);
+    } else if (PacketIsIPv6(p)) {
+        SCJbSetUint(js, "ip_v", 6);
+    }
+
     /* icmp */
     switch (p->proto) {
         case IPPROTO_ICMP: