From: Juliana Fajardini <jufajardini@oisf.net>
Date: Thu, 8 May 2025 19:00:48 +0000 (-0300)
Subject: eve: add ip version field
X-Git-Tag: suricata-8.0.0-rc1~324
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F13201%2Fhead;p=thirdparty%2Fsuricata.git

eve: add ip version field

Adds the field `ip_v` (integer) to the common fields of EVE.
To facilitate searches based on IP version, for instance.

Task #7047
---

diff --git a/etc/schema.json b/etc/schema.json
index 4919a8f7fa..57624ec066 100644
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -54,6 +54,10 @@
         "in_iface": {
             "type": "string"
         },
+        "ip_v": {
+            "type": "integer",
+            "description": "IP version of the packet or flow"
+        },
         "log_level": {
             "type": "string"
         },
diff --git a/src/output-json-flow.c b/src/output-json-flow.c
index 91fcf34bb5..a57160c602 100644
--- a/src/output-json-flow.c
+++ b/src/output-json-flow.c
@@ -143,6 +143,13 @@ static SCJsonBuilder *CreateEveHeaderFromFlow(const Flow *f)
             break;
     }
 
+    /* ip version */
+    if (FLOW_IS_IPV4(f)) {
+        SCJbSetUint(jb, "ip_v", 4);
+    } else if (FLOW_IS_IPV6(f)) {
+        SCJbSetUint(jb, "ip_v", 6);
+    }
+
     if (SCProtoNameValid(f->proto)) {
         SCJbSetString(jb, "proto", known_proto[f->proto]);
     } else {
diff --git a/src/output-json.c b/src/output-json.c
index 3c39d72bde..512274eeb5 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -902,6 +902,13 @@ SCJsonBuilder *CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection di
         SCJbSetString(js, "proto", addr->proto);
     }
 
+    /* ip version */
+    if (PacketIsIPv4(p)) {
+        SCJbSetUint(js, "ip_v", 4);
+    } else if (PacketIsIPv6(p)) {
+        SCJbSetUint(js, "ip_v", 6);
+    }
+
     /* icmp */
     switch (p->proto) {
         case IPPROTO_ICMP: