tests: verify pcap_filename on alert and flow events - v2

tests/pcap-filename-alert-and-flow/README.md

@@ -0,0 +1,4 @@
+Verify that pcap_filename is present in EVE JSON output for both
+alert events (packet-based path) and flow events (p == NULL fallback).
+
+Related to https://redmine.openinfosecfoundation.org/issues/5255

tests/pcap-filename-alert-and-flow/alert.rules

@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)

tests/pcap-filename-alert-and-flow/suricata.yaml

@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      pcap-file: true
+
+      types:
+        - alert
+        - flow

tests/pcap-filename-alert-and-flow/test.yaml

@@ -0,0 +1,20 @@
+requires:
+  min-version: 8
+
+pcap: ../bug-7414-decoder-event-01/ip_secopt.pcap
+
+checks:
+  # Alert event - exercises the p != NULL path in OutputJsonBuilderBuffer
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2200005
+        pcap_filename.__endswith: "ip_secopt.pcap"
+
+  # Flow event - exercises the p == NULL path in OutputJsonBuilderBuffer
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        pcap_filename.__endswith: "ip_secopt.pcap"

tests/pcap-filename-pseudo-pkts/README.md

@@ -0,0 +1,9 @@
+Verify that pcap_filename is present in EVE JSON output for
+pseudo-packets (e.g. fileinfo events from truncated files).
+
+This reuses the pcap from bug-5392 which triggers a file truncation event.
+The generated stream pseudo-packet carries pcap_v.pfv propagated from the
+flow (set in StreamTcpDetectLogFlush), so this exercises the per-packet
+pfv->filename path in OutputJsonBuilderBuffer.
+
+Related to https://redmine.openinfosecfoundation.org/issues/5255

tests/pcap-filename-pseudo-pkts/suricata.yaml

@@ -0,0 +1,41 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      pcap-file: true
+      types:
+        - http:
+            enabled: yes
+        - files:
+            force-magic: no
+            force-hash: [md5]
+
+  - file-store:
+       version: 2
+       enabled: yes
+       dir: filestore
+       write-fileinfo: yes
+       force-filestore: yes
+
+logging:
+  default-log-level: notice
+  outputs:
+  - console:
+      enabled: yes
+  - file:
+      enabled: yes
+      level: info
+      filename: suricata.json
+
+app-layer:
+  protocols:
+    http:
+      enabled: yes
+      libhtp:
+         default-config:
+           personality: IDS
+           request-body-limit: 100kb
+           response-body-limit: 100kb

tests/pcap-filename-pseudo-pkts/test.yaml

@@ -0,0 +1,16 @@
+requires:
+  min-version: 7
+
+pcap: ../bug-5392/TPWhite-carved-out-7787-s1.pcap
+
+args:
+- -k none
+- --no-random
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        pcap_filename.__endswith: "TPWhite-carved-out-7787-s1.pcap"
+        fileinfo.state: "TRUNCATED"

tests/pcap-filename-recursive/README.md

@@ -0,0 +1,17 @@
+Verify that pcap_filename in EVE JSON output reflects the file each
+connection's packets came from, not the last file the RX thread processed.
+
+Two pcap files are fed with --pcap-file-recursive.  alert.pcap is processed
+first; http.pcap is processed last, so the global pcap_filename points to
+http.pcap at shutdown.  The flow event for the alert.pcap connection must
+report alert.pcap (read from the per-flow pfv), demonstrating that the race
+between the RX thread advancing to the next file and workers/flow-manager
+logging events is resolved correctly.
+
+The pcap files are copies of existing test captures:
+  alert.pcap  - copy of tests/bug-7414-decoder-event-01/ip_secopt.pcap
+  http.pcap   - copy of tests/bug-5392/TPWhite-carved-out-7787-s1.pcap
+Local copies are required because --pcap-file-recursive reads an entire
+directory; relative paths to other test directories cannot be used.
+
+Related to https://redmine.openinfosecfoundation.org/issues/5255

tests/pcap-filename-recursive/suricata.yaml

@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      pcap-file: true
+      types:
+        - http:
+            enabled: yes
+        - files:
+            force-magic: no
+        - flow

tests/pcap-filename-recursive/test.yaml

@@ -0,0 +1,36 @@
+requires:
+  min-version: 9
+
+pcap: .
+
+args:
+- --pcap-file-recursive
+
+checks:
+  # Race-condition regression: alert.pcap is processed FIRST; http.pcap is
+  # processed LAST, so the global pcap_filename ends up pointing to http.pcap
+  # at shutdown.  The flow event for the alert.pcap connection must still
+  # report alert.pcap (via the per-flow pfv), not the stale global.
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        pcap_filename.__endswith: "alert.pcap"
+
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        pcap_filename.__endswith: "http.pcap"
+
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        pcap_filename.__endswith: "http.pcap"
+
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        pcap_filename.__endswith: "http.pcap"