From 8c75a022ea49117cec7b2cafc3d04be57b9bc25c Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 3 Apr 2018 14:26:49 +0200
Subject: [PATCH] eve/netflow: only log response record if we've seen response
 pkts

---
 src/output-json-netflow.c | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/src/output-json-netflow.c b/src/output-json-netflow.c
index f13a837a25..7659a9679b 100644
--- a/src/output-json-netflow.c
+++ b/src/output-json-netflow.c
@@ -321,20 +321,22 @@ static int JsonNetFlowLogger(ThreadVars *tv, void *thread_data, Flow *f)
     json_object_clear(js);
     json_decref(js);
 
-    /* reset */
-    MemBufferReset(jhl->buffer);
-    js = CreateJSONHeaderFromFlow(f, "netflow", 1);
-    if (unlikely(js == NULL))
-        return TM_ECODE_OK;
-    JsonNetFlowLogJSONToClient(jhl, js, f);
-    if (netflow_ctx->include_metadata) {
-        JsonAddMetadata(NULL, f, js);
+    /* only log a response record if we actually have seen response packets */
+    if (f->tosrcpktcnt) {
+        /* reset */
+        MemBufferReset(jhl->buffer);
+        js = CreateJSONHeaderFromFlow(f, "netflow", 1);
+        if (unlikely(js == NULL))
+            return TM_ECODE_OK;
+        JsonNetFlowLogJSONToClient(jhl, js, f);
+        if (netflow_ctx->include_metadata) {
+            JsonAddMetadata(NULL, f, js);
+        }
+        OutputJSONBuffer(js, jhl->flowlog_ctx->file_ctx, &jhl->buffer);
+        json_object_del(js, "netflow");
+        json_object_clear(js);
+        json_decref(js);
     }
-    OutputJSONBuffer(js, jhl->flowlog_ctx->file_ctx, &jhl->buffer);
-    json_object_del(js, "netflow");
-    json_object_clear(js);
-    json_decref(js);
-
     SCReturnInt(TM_ECODE_OK);
 }