From 7d28c19f055394031ca1bd18c95d77fe86ac32a9 Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Tue, 16 Apr 2019 16:27:51 -0700
Subject: [PATCH] logging: Ensure all anomalous events have an event_type

This change ensures that each anomaly is tagged with an
event type to support querying.

Each anomalous event will include `"event_type": "anomaly"`
in the log record.
---
 src/output-json-anomaly.c | 19 +++++++++----------
 src/output-json.c         |  3 +++
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/src/output-json-anomaly.c b/src/output-json-anomaly.c
index abe444538e..9648c23814 100644
--- a/src/output-json-anomaly.c
+++ b/src/output-json-anomaly.c
@@ -84,12 +84,7 @@ static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *
     for (int i = 0; i < p->events.cnt; i++) {
         MemBufferReset(aft->json_buffer);
 
-        json_t *js;
-        if (is_IP_pkt) {
-            js = CreateJSONHeader(p, LOG_DIR_PACKET, "anomaly");
-        } else {
-            js = json_object();
-        }
+        json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "anomaly");
 
         if (unlikely(js == NULL)) {
             return TM_ECODE_OK;
@@ -118,15 +113,19 @@ static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *
         }
 
         uint8_t event_code = p->events.events[i];
-        if (EVENT_IS_DECODER_PACKET_ERROR(event_code)) {
+        if (event_code < DECODE_EVENT_MAX) {
             const char *event = DEvents[event_code].event_name;
+            json_object_set_new(ajs, "type",
+                                EVENT_IS_DECODER_PACKET_ERROR(event_code) ? 
+                                    json_string("packet") : json_string("stream"));
             json_object_set_new(ajs, "event", json_string(event));
         } else {
             /* include event code with unrecognized events */
             uint32_t offset = 0;
-            char unknown_event_buf[32];
-            PrintBufferData(unknown_event_buf, &offset, 32, "%s(%d)", "Unknown", event_code);
-            json_object_set_new(ajs, "event", json_string(unknown_event_buf));
+            char unknown_event_buf[16];
+            json_object_set_new(ajs, "type", json_string("unknown"));
+            PrintBufferData(unknown_event_buf, &offset, 16, "%d", event_code);
+            json_object_set_new(ajs, "code", json_string(unknown_event_buf));
         }
 
         /* anomaly */
diff --git a/src/output-json.c b/src/output-json.c
index 64d5b44220..9892b0d197 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -446,6 +446,9 @@ void JsonFiveTuple(const Packet *p, enum OutputJsonLogDirection dir, json_t *js)
                         srcip, sizeof(srcip));
                 PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p),
                         dstip, sizeof(dstip));
+            } else {
+                /* Not an IP packet so don't do anything */
+                return;
             }
             sp = p->sp;
             dp = p->dp;