OISF · regit · Sep 7, 2025 · Sep 7, 2025
@@ -722,8 +722,6 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
                 }
             }
 
-            EveAddAppProto(p->flow, jb);
-
             if (p->flowflags & FLOW_PKT_TOSERVER) {
                 SCJbSetString(jb, "direction", "to_server");
             } else {

@@ -189,8 +189,6 @@ SCJsonBuilder *JsonBuildFileInfoRecord(const Packet *p, const File *ff, void *tx
             break;
     }
 
-    SCJbSetString(js, "app_proto", AppProtoToString(p->flow->alproto));
-
     SCJbOpenObject(js, "fileinfo");
     if (stored) {
         // the file has just been stored on disk cf OUTPUT_FILEDATA_FLAG_CLOSE

@@ -175,26 +175,6 @@ static SCJsonBuilder *CreateEveHeaderFromFlow(const Flow *f)
     return jb;
 }
 
-void EveAddAppProto(Flow *f, SCJsonBuilder *js)
-{
-    if (f->alproto) {
-        SCJbSetString(js, "app_proto", AppProtoToString(f->alproto));
-    }
-    if (f->alproto_ts && f->alproto_ts != f->alproto) {
-        SCJbSetString(js, "app_proto_ts", AppProtoToString(f->alproto_ts));
-    }
-    if (f->alproto_tc && f->alproto_tc != f->alproto) {
-        SCJbSetString(js, "app_proto_tc", AppProtoToString(f->alproto_tc));
-    }
-    if (f->alproto_orig != f->alproto && f->alproto_orig != ALPROTO_UNKNOWN) {
-        SCJbSetString(js, "app_proto_orig", AppProtoToString(f->alproto_orig));
-    }
-    if (f->alproto_expect != f->alproto && f->alproto_expect != ALPROTO_UNKNOWN) {
-        SCJbSetString(js, "app_proto_expected", AppProtoToString(f->alproto_expect));
-    }
-
-}
-
 void EveAddFlow(Flow *f, SCJsonBuilder *js)
 {
     FlowBypassInfo *fc = FlowGetStorageById(f, GetFlowBypassInfoID());

@@ -26,6 +26,5 @@
 
 void JsonFlowLogRegister(void);
 void EveAddFlow(Flow *f, SCJsonBuilder *js);
-void EveAddAppProto(Flow *f, SCJsonBuilder *js);
 
 #endif /* SURICATA_OUTPUT_JSON_FLOW_H */
@@ -313,7 +313,6 @@ static int FrameJsonUdp(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p
         if (unlikely(jb == NULL))
             return TM_ECODE_OK;
 
-        SCJbSetString(jb, "app_proto", AppProtoToString(f->alproto));
         FrameJsonLogOneFrame(IPPROTO_UDP, frame, p->flow, NULL, p, jb, aft->payload_buffer);
         OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
         SCJbFree(jb);
@@ -387,7 +386,6 @@ static int FrameJson(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p)
             if (unlikely(jb == NULL))
                 return TM_ECODE_OK;
 
-            SCJbSetString(jb, "app_proto", AppProtoToString(p->flow->alproto));
             FrameJsonLogOneFrame(IPPROTO_TCP, frame, p->flow, stream, p, jb, aft->payload_buffer);
             OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
             SCJbFree(jb);

@@ -228,7 +228,7 @@ static void NetFlowLogEveToServer(SCJsonBuilder *js, Flow *f)
 
 static void NetFlowLogEveToClient(SCJsonBuilder *js, Flow *f)
 {
-    SCJbSetString(js, "app_proto", AppProtoToString(f->alproto_tc ? f->alproto_tc : f->alproto));
+    EveAddAppProto(f, js);
 
     SCJbOpenObject(js, "netflow");
 

@@ -847,6 +847,28 @@ static int CreateJSONEther(
     return 0;
 }
 
+void EveAddAppProto(const Flow *f, SCJsonBuilder *js)
+{
+    if (f == NULL) {
+        return;
+    }
+    if (f->alproto) {
+        SCJbSetString(js, "app_proto", AppProtoToString(f->alproto));
+    }
+    if (f->alproto_ts && f->alproto_ts != f->alproto) {
+        SCJbSetString(js, "app_proto_ts", AppProtoToString(f->alproto_ts));
+    }
+    if (f->alproto_tc && f->alproto_tc != f->alproto) {
+        SCJbSetString(js, "app_proto_tc", AppProtoToString(f->alproto_tc));
+    }
+    if (f->alproto_orig != f->alproto && f->alproto_orig != ALPROTO_UNKNOWN) {
+        SCJbSetString(js, "app_proto_orig", AppProtoToString(f->alproto_orig));
+    }
+    if (f->alproto_expect != f->alproto && f->alproto_expect != ALPROTO_UNKNOWN) {
+        SCJbSetString(js, "app_proto_expected", AppProtoToString(f->alproto_expect));
+    }
+}
+
 SCJsonBuilder *CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection dir,
         const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
 {
@@ -864,6 +886,8 @@ SCJsonBuilder *CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection di
 
     CreateEveFlowId(js, f);
 
+    EveAddAppProto(f, js);
+
     /* sensor id */
     if (sensor_id >= 0) {
         SCJbSetUint(js, "sensor_id", sensor_id);

@@ -110,6 +110,7 @@ void EveAddCommonOptions(const OutputJsonCommonSettings *cfg, const Packet *p, c
         SCJsonBuilder *js, enum SCOutputJsonLogDirection dir);
 int OutputJsonLogFlush(ThreadVars *tv, void *thread_data, const Packet *p);
 void EveAddMetadata(const Packet *p, const Flow *f, SCJsonBuilder *js);
+void EveAddAppProto(const Flow *f, SCJsonBuilder *js);
 
 int OutputJSONMemBufferCallback(const char *str, size_t size, void *data);