diff --git a/src/output-json-alert.c b/src/output-json-alert.c index 184370a65edc..cdd2c2a36e36 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -722,8 +722,6 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) } } - EveAddAppProto(p->flow, jb); - if (p->flowflags & FLOW_PKT_TOSERVER) { SCJbSetString(jb, "direction", "to_server"); } else { diff --git a/src/output-json-file.c b/src/output-json-file.c index 9c046b3c7d18..2ac3f2ee4af0 100644 --- a/src/output-json-file.c +++ b/src/output-json-file.c @@ -189,8 +189,6 @@ SCJsonBuilder *JsonBuildFileInfoRecord(const Packet *p, const File *ff, void *tx break; } - SCJbSetString(js, "app_proto", AppProtoToString(p->flow->alproto)); - SCJbOpenObject(js, "fileinfo"); if (stored) { // the file has just been stored on disk cf OUTPUT_FILEDATA_FLAG_CLOSE diff --git a/src/output-json-flow.c b/src/output-json-flow.c index a57160c602b5..8d34d3882471 100644 --- a/src/output-json-flow.c +++ b/src/output-json-flow.c @@ -175,26 +175,6 @@ static SCJsonBuilder *CreateEveHeaderFromFlow(const Flow *f) return jb; } -void EveAddAppProto(Flow *f, SCJsonBuilder *js) -{ - if (f->alproto) { - SCJbSetString(js, "app_proto", AppProtoToString(f->alproto)); - } - if (f->alproto_ts && f->alproto_ts != f->alproto) { - SCJbSetString(js, "app_proto_ts", AppProtoToString(f->alproto_ts)); - } - if (f->alproto_tc && f->alproto_tc != f->alproto) { - SCJbSetString(js, "app_proto_tc", AppProtoToString(f->alproto_tc)); - } - if (f->alproto_orig != f->alproto && f->alproto_orig != ALPROTO_UNKNOWN) { - SCJbSetString(js, "app_proto_orig", AppProtoToString(f->alproto_orig)); - } - if (f->alproto_expect != f->alproto && f->alproto_expect != ALPROTO_UNKNOWN) { - SCJbSetString(js, "app_proto_expected", AppProtoToString(f->alproto_expect)); - } - -} - void EveAddFlow(Flow *f, SCJsonBuilder *js) { FlowBypassInfo *fc = FlowGetStorageById(f, GetFlowBypassInfoID()); diff --git a/src/output-json-flow.h b/src/output-json-flow.h index 4524370d11a7..362d0610e1df 100644 --- a/src/output-json-flow.h +++ b/src/output-json-flow.h @@ -26,6 +26,5 @@ void JsonFlowLogRegister(void); void EveAddFlow(Flow *f, SCJsonBuilder *js); -void EveAddAppProto(Flow *f, SCJsonBuilder *js); #endif /* SURICATA_OUTPUT_JSON_FLOW_H */ diff --git a/src/output-json-frame.c b/src/output-json-frame.c index d4e79a4762ef..9f60deaf94ea 100644 --- a/src/output-json-frame.c +++ b/src/output-json-frame.c @@ -313,7 +313,6 @@ static int FrameJsonUdp(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p if (unlikely(jb == NULL)) return TM_ECODE_OK; - SCJbSetString(jb, "app_proto", AppProtoToString(f->alproto)); FrameJsonLogOneFrame(IPPROTO_UDP, frame, p->flow, NULL, p, jb, aft->payload_buffer); OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx); SCJbFree(jb); @@ -387,7 +386,6 @@ static int FrameJson(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p) if (unlikely(jb == NULL)) return TM_ECODE_OK; - SCJbSetString(jb, "app_proto", AppProtoToString(p->flow->alproto)); FrameJsonLogOneFrame(IPPROTO_TCP, frame, p->flow, stream, p, jb, aft->payload_buffer); OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx); SCJbFree(jb); diff --git a/src/output-json-netflow.c b/src/output-json-netflow.c index 6a0d1d2e60a0..23c7107b4517 100644 --- a/src/output-json-netflow.c +++ b/src/output-json-netflow.c @@ -228,7 +228,7 @@ static void NetFlowLogEveToServer(SCJsonBuilder *js, Flow *f) static void NetFlowLogEveToClient(SCJsonBuilder *js, Flow *f) { - SCJbSetString(js, "app_proto", AppProtoToString(f->alproto_tc ? f->alproto_tc : f->alproto)); + EveAddAppProto(f, js); SCJbOpenObject(js, "netflow"); diff --git a/src/output-json.c b/src/output-json.c index 1e04e13c49dd..df45c6f5f9a4 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -847,6 +847,28 @@ static int CreateJSONEther( return 0; } +void EveAddAppProto(const Flow *f, SCJsonBuilder *js) +{ + if (f == NULL) { + return; + } + if (f->alproto) { + SCJbSetString(js, "app_proto", AppProtoToString(f->alproto)); + } + if (f->alproto_ts && f->alproto_ts != f->alproto) { + SCJbSetString(js, "app_proto_ts", AppProtoToString(f->alproto_ts)); + } + if (f->alproto_tc && f->alproto_tc != f->alproto) { + SCJbSetString(js, "app_proto_tc", AppProtoToString(f->alproto_tc)); + } + if (f->alproto_orig != f->alproto && f->alproto_orig != ALPROTO_UNKNOWN) { + SCJbSetString(js, "app_proto_orig", AppProtoToString(f->alproto_orig)); + } + if (f->alproto_expect != f->alproto && f->alproto_expect != ALPROTO_UNKNOWN) { + SCJbSetString(js, "app_proto_expected", AppProtoToString(f->alproto_expect)); + } +} + SCJsonBuilder *CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx) { @@ -864,6 +886,8 @@ SCJsonBuilder *CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection di CreateEveFlowId(js, f); + EveAddAppProto(f, js); + /* sensor id */ if (sensor_id >= 0) { SCJbSetUint(js, "sensor_id", sensor_id); diff --git a/src/output-json.h b/src/output-json.h index 1f4fec70d041..938d13c83ca4 100644 --- a/src/output-json.h +++ b/src/output-json.h @@ -110,6 +110,7 @@ void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, c SCJsonBuilder *js, enum SCOutputJsonLogDirection dir); int OutputJsonLogFlush(ThreadVars *tv, void *thread_data, const Packet *p); void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js); +void EveAddAppProto(const Flow *f, SCJsonBuilder *js); int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);