eve/alert: enrich decoder event

Default decoder event alert was very sparse, not even logging packet type and pcap_cnt. Expand support for this record type. It will be more useful with the ethernet headers and packet field, but these are still disabled by default. Ticket: #7433.
OISF · Dec 4, 2024 · e177513 · e177513
1 parent 7f548f4
commit e177513
Showing 1 changed file with 27 additions and 5 deletions.
diff --git a/src/output-json-alert.c b/src/output-json-alert.c
@@ -791,15 +791,37 @@ static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const
             continue;
         }
 
-        JsonBuilder *jb = jb_new_object();
-        if (unlikely(jb == NULL)) {
+        JsonBuilder *jb =
+                CreateEveHeader(p, LOG_DIR_PACKET, "alert", NULL, json_output_ctx->eve_ctx);
+        if (unlikely(jb == NULL))
             return TM_ECODE_OK;
+
+        AlertJsonHeader(p, pa, jb, json_output_ctx->flags, NULL, NULL);
+
+        if (PacketIsTunnel(p)) {
+            AlertJsonTunnel(p, jb);
         }
 
-        /* just the timestamp, no tuple */
-        jb_set_string(jb, "timestamp", timebuf);
+        /* payload */
+        if (json_output_ctx->flags &
+                (LOG_JSON_PAYLOAD | LOG_JSON_PAYLOAD_BASE64 | LOG_JSON_PAYLOAD_LENGTH)) {
+            AlertAddPayload(json_output_ctx, jb, p);
+            jb_set_uint(jb, "stream", 0);
+        }
 
-        AlertJsonHeader(p, pa, jb, json_output_ctx->flags, NULL, NULL);
+        /* base64-encoded full packet */
+        if (json_output_ctx->flags & LOG_JSON_PACKET) {
+            EvePacket(p, jb, 0);
+        }
+
+        char *pcap_filename = PcapLogGetFilename();
+        if (pcap_filename != NULL) {
+            jb_set_string(jb, "capture_file", pcap_filename);
+        }
+
+        if (json_output_ctx->flags & LOG_JSON_VERDICT) {
+            EveAddVerdict(jb, p);
+        }
 
         OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
         jb_free(jb);