From 3286ae2cc905992fd48b9eabc72817b16aabfdba Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Thu, 8 May 2025 16:00:48 -0300
Subject: [PATCH] eve: add ip version field

Adds the field `ip_v` (integer) to the common fields of EVE.
To facilitate searches based on IP version, for instance.

Task #7047
---
 etc/schema.json        | 4 ++++
 src/output-json-flow.c | 7 +++++++
 src/output-json.c      | 7 +++++++
 3 files changed, 18 insertions(+)

diff --git a/etc/schema.json b/etc/schema.json
index 4919a8f7fa..57624ec066 100644
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -54,6 +54,10 @@
         "in_iface": {
             "type": "string"
         },
+        "ip_v": {
+            "type": "integer",
+            "description": "IP version of the packet or flow"
+        },
         "log_level": {
             "type": "string"
         },
diff --git a/src/output-json-flow.c b/src/output-json-flow.c
index 91fcf34bb5..a57160c602 100644
--- a/src/output-json-flow.c
+++ b/src/output-json-flow.c
@@ -143,6 +143,13 @@ static SCJsonBuilder *CreateEveHeaderFromFlow(const Flow *f)
             break;
     }
 
+    /* ip version */
+    if (FLOW_IS_IPV4(f)) {
+        SCJbSetUint(jb, "ip_v", 4);
+    } else if (FLOW_IS_IPV6(f)) {
+        SCJbSetUint(jb, "ip_v", 6);
+    }
+
     if (SCProtoNameValid(f->proto)) {
         SCJbSetString(jb, "proto", known_proto[f->proto]);
     } else {
diff --git a/src/output-json.c b/src/output-json.c
index 3c39d72bde..512274eeb5 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -902,6 +902,13 @@ SCJsonBuilder *CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection di
         SCJbSetString(js, "proto", addr->proto);
     }
 
+    /* ip version */
+    if (PacketIsIPv4(p)) {
+        SCJbSetUint(js, "ip_v", 4);
+    } else if (PacketIsIPv6(p)) {
+        SCJbSetUint(js, "ip_v", 6);
+    }
+
     /* icmp */
     switch (p->proto) {
         case IPPROTO_ICMP:
-- 
2.47.2