output-json/output-json-flow: Geoip enrichment

[jayhardee9]

Contribution style:

• I have read the contributing guide lines at
  https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html

Our Contribution agreements:

• I have signed the Open Information Security Foundation contribution agreement at
  https://suricata.io/about/contribution-agreement/ (note: this is only required once)

Changes (if applicable):

• I have updated the User Guide (in doc/userguide/) to reflect the changes made
• I have updated the JSON schema (in etc/schema.json) to reflect all logging changes
  (including schema descriptions)
• I have created a ticket at
  https://redmine.openinfosecfoundation.org/projects/suricata/issues

Link to ticket: https://redmine.openinfosecfoundation.org/issues/6999
Original author's PR: #10703

Describe changes:

• adds optional geoip enrichment into EVE log by setting the geoip-enrichment option under eve-log configuration in suricata.yaml
• enrichment is available under the json-output and json-output-flow modules.

Eve output example with enrichment

{
    "timestamp": "2021-05-27T03:37:44.575843+0700",
    "flow_id": 2130735805455113,
    "pcap_cnt": 15756,
    "event_type": "fileinfo",
    "geoip_src": {
        "ip": "192.236.155.230",
        "geo": {
            "continent_code": "NA",
            "country_iso_code": "US",
            "city_name": "Seattle",
            "country_name": "United States",
            "continent_name": "North America",
            "timezone": "America/Los_Angeles",
            "location": {
                "lat": 47.4902,
                "lon": -122.3004
            }
        }
    },
    "geoip_dst": {},
    "src_ip": "192.236.155.230",
    "src_port": 80,
    "dest_ip": "10.5.26.4",
    "dest_port": 56042,
    "proto": "TCP",
    "pkt_src": "wire/pcap",
    "http": {
        "hostname": "192.236.155.230",
        "url": "/images/redbutton.png",
        "http_user_agent": "WinHTTP loader/1.0",
        "http_content_type": "Content-type: application/octet-stream",
        "http_method": "GET",
        "protocol": "HTTP/1.1",
        "status": 200,
        "length": 105556
    },
    "app_proto": "http",
    "fileinfo": {
        "filename": "/images/redbutton.png",
        "gaps": false,
        "state": "TRUNCATED",
        "stored": false,
        "size": 102400,
        "tx_id": 0
    }
}

Provide values to any of the below to override the defaults.

SV_BRANCH=OISF/suricata-verify#2838

[github-actions]

NOTE: This PR may contain new authors.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.13%. Comparing base (f1b9669) to head (a42c64f).
⚠️ Report is 10 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #14558   +/-   ##
=======================================
  Coverage   82.12%   82.13%           
=======================================
  Files        1014     1014           
  Lines      262461   262461           
=======================================
+ Hits       215551   215571   +20     
+ Misses      46910    46890   -20     

Flag	Coverage Δ
fuzzcorpus	60.36% <100.00%> (+1.02%)	⬆️
livemode	18.74% <100.00%> (-0.01%)	⬇️
pcap	44.57% <100.00%> (-0.04%)	⬇️
suricata-verify	65.02% <100.00%> (-0.01%)	⬇️
unittests	59.23% <0.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[catenacyber]

Thanks for your work.

Just a quick look and I see that CI is red

• because the changes to schema.json are not alphabetically ordered like Current order: ['ip', 'geo'] Should be: ['geo', 'ip']
• because the C code is not formatted with clang-format ( see https://docs.suricata.io/en/latest/devguide/codebase/code-style.html#clang-format )

[jayhardee9]

Next iteration: #14567