Multipart mime 3487 v39

[catenacyber]

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3487

Describe changes:

• convert HTTP to use new rust mime parser
• convert SMTP to use new rust mime parser
• json schema : add email.received array

Follows #11130 with rebase

SV_BRANCH=OISF/suricata-verify#1851

[codecov]

Codecov Report

Attention: Patch coverage is 92.09139% with 90 lines in your changes are missing coverage. Please review.

Project coverage is 83.32%. Comparing base (e041187) to head (6fd1c30).

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11157      +/-   ##
==========================================
- Coverage   84.28%   83.32%   -0.97%     
==========================================
  Files         926      920       -6     
  Lines      243303   240222    -3081     
==========================================
- Hits       205076   200172    -4904     
- Misses      38227    40050    +1823     

Flag	Coverage Δ
fuzzcorpus	64.00% <74.81%> (-0.18%)	⬇️
livemode	?
pcap	46.38% <76.97%> (-0.30%)	⬇️
suricata-verify	62.73% <86.93%> (-0.30%)	⬇️
unittests	61.61% <57.64%> (-0.15%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

[suricata-qa]

Information: QA ran without warnings.

Pipeline 20820

[victorjulien]

Email input:

To: "XXXXX-YYYY, ZZZZZ" <xyz@mydomain.zzz>

Is logged as:

    "to": [
      "\"XXXXX-YYYY",
      " ZZZZZ\" <xyz@mydomain.zzz>"
    ],

We match on it in SV

    email.to[0]: '"XXXXX-YYYY'
    email.to[1]: ZZZZZ" <xyz@mydomain.zzz>

Note the leading space in the ZZZZZ part of the "to" field.

So couple of things:

1. this is different from our master, which strips the leading space from to[1]
2. both master and this branch seem wrong to split the name

Can't provide a pcap sadly, as it's TLP dark red, but I can test fixes.

We can fix this up post merge too.

[victorjulien]

Also seeing a pcap where this branch no longer tracks an attachment, where master does. Trying to see how to share or analyze.

[victorjulien]

Also seeing a pcap where this branch no longer tracks an attachment, where master does. Trying to see how to share or analyze.

It appears to be a MIME email embedded in another. Sharing something offline.

[catenacyber]

So couple of things:

1. this is different from our master, which strips the leading space from to[1]
2. both master and this branch seem wrong to split the name

Fixing both the leading space, and also improving on the quotes

Can't provide a pcap sadly, as it's TLP dark red, but I can test fixes.

Crafted a test in OISF/suricata-verify#1869

[catenacyber]

Continued in #11188