From 7463306b3b2ab25d4b23d619936ac9286c331a0f Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Thu, 7 May 2026 15:32:16 -0600
Subject: [PATCH] eve: add rule generation source to alert record

When an alert is generated from firewall context, add an engine value of
"fw", otherwise "td" (for threat detect).

The engine field is only added when firewall mode is enabled.

Ticket: #8456
---
 doc/userguide/output/eve/eve-json-format.rst | 4 ++++
 etc/schema.json                              | 8 ++++++++
 src/output-json-alert.c                      | 3 +++
 3 files changed, 15 insertions(+)

diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst
index c5569c852f5b..92193453af83 100644
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -405,6 +405,10 @@ It can also contain information about Source and Target of the attack in the
 ``alert.source`` and ``alert.target`` field if target keyword is used in
 the signature.
 
+In firewall mode, the ``alert.engine`` field identifies which rule engine
+generated the alert: ``fw`` for firewall rules and ``td`` for threat detect
+rules. This field is omitted outside of firewall mode.
+
 This event will also have the ``pcap_cnt`` field, when running in pcap mode, to
 indicate which packet triggered the signature.
 
diff --git a/etc/schema.json b/etc/schema.json
index 4767aff34ad4..19af7cc38bcc 100644
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -21,6 +21,14 @@
                     "additionalProperties": true,
                     "description": "Extra context data created by keywords such as dataset with JSON"
                 },
+                "engine": {
+                    "type": "string",
+                    "enum": [
+                        "fw",
+                        "td"
+                    ],
+                    "description": "Engine that generated the alert in firewall mode: fw for firewall rules, td for threat detect rules."
+                },
                 "gid": {
                     "type": "integer"
                 },
diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index d0e6dba09418..ee018aa12276 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -231,6 +231,9 @@ void AlertJsonHeader(const Packet *p, const PacketAlert *pa, SCJsonBuilder *js,
     SCJbOpenObject(js, "alert");
 
     SCJbSetString(js, "action", action);
+    if (EngineModeIsFirewall()) {
+        SCJbSetString(js, "engine", (pa->s->flags & SIG_FLAG_FIREWALL) ? "fw" : "td");
+    }
     SCJbSetUint(js, "gid", pa->s->gid);
     SCJbSetUint(js, "signature_id", pa->s->id);
     SCJbSetUint(js, "rev", pa->s->rev);