From 029fd1be598083c67b059c1f55409fc62c6ca2de Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Thu, 7 May 2026 15:32:16 -0600
Subject: [PATCH] eve: add rule generation source to alert record

When an alert is generated from firewall context, add an engine value of
"fw", otherwise "td" (for threat detect).

The engine field is only added when firewall mode is enabled.

Ticket: #8456
---
 doc/userguide/output/eve/eve-json-format.rst | 4 ++++
 etc/schema.json                              | 8 ++++++++
 src/output-json-alert.c                      | 3 +++
 3 files changed, 15 insertions(+)

diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst
index c5569c852f..92193453af 100644
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -405,6 +405,10 @@ It can also contain information about Source and Target of the attack in the
 ``alert.source`` and ``alert.target`` field if target keyword is used in
 the signature.
 
+In firewall mode, the ``alert.engine`` field identifies which rule engine
+generated the alert: ``fw`` for firewall rules and ``td`` for threat detect
+rules. This field is omitted outside of firewall mode.
+
 This event will also have the ``pcap_cnt`` field, when running in pcap mode, to
 indicate which packet triggered the signature.
 
diff --git a/etc/schema.json b/etc/schema.json
index 4767aff34a..19af7cc38b 100644
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -21,6 +21,14 @@
                     "additionalProperties": true,
                     "description": "Extra context data created by keywords such as dataset with JSON"
                 },
+                "engine": {
+                    "type": "string",
+                    "enum": [
+                        "fw",
+                        "td"
+                    ],
+                    "description": "Engine that generated the alert in firewall mode: fw for firewall rules, td for threat detect rules."
+                },
                 "gid": {
                     "type": "integer"
                 },
diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index d0e6dba094..ee018aa122 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -231,6 +231,9 @@ void AlertJsonHeader(const Packet *p, const PacketAlert *pa, SCJsonBuilder *js,
     SCJbOpenObject(js, "alert");
 
     SCJbSetString(js, "action", action);
+    if (EngineModeIsFirewall()) {
+        SCJbSetString(js, "engine", (pa->s->flags & SIG_FLAG_FIREWALL) ? "fw" : "td");
+    }
     SCJbSetUint(js, "gid", pa->s->gid);
     SCJbSetUint(js, "signature_id", pa->s->id);
     SCJbSetUint(js, "rev", pa->s->rev);