From 74aa65073b01d72e027e6abe696b3298c3f7ac2b Mon Sep 17 00:00:00 2001 From: Mats Klepsland Date: Tue, 31 Jan 2017 15:02:21 +0100 Subject: [PATCH] output-json-tls: log 'from_proto' field Log the original application level protocol when protocol have been changed because of STARTTLS, HTTP CONNECT or similar. --- src/output-json-tls.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/output-json-tls.c b/src/output-json-tls.c index 5184373d65..3bdd481621 100644 --- a/src/output-json-tls.c +++ b/src/output-json-tls.c @@ -383,6 +383,13 @@ static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p, JsonTlsLogJSONBasic(tjs, ssl_state); } + /* print original application level protocol when it have been changed + because of STARTTLS, HTTP CONNECT, or similar. */ + if (f->alproto_orig != ALPROTO_UNKNOWN) { + json_object_set_new(tjs, "from_proto", + json_string(AppLayerGetProtoName(f->alproto_orig))); + } + json_object_set_new(js, "tls", tjs); OutputJSONBuffer(js, tls_ctx->file_ctx, &aft->buffer);