From 95ac92f9aa5fe86428f407d88b5e3325f7edc376 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Fri, 6 Dec 2024 14:11:38 +0100
Subject: [PATCH] eve/frame: run logging for flow end packets

If there are frames in the flow the flow manager will create flow
timeout packets to log the remaining frames. This requires the logger to
run for those flow timeout packets.

Ticket: #7440.
---
 src/output-json-frame.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/output-json-frame.c b/src/output-json-frame.c
index 41c5283294..6a3cf768a4 100644
--- a/src/output-json-frame.c
+++ b/src/output-json-frame.c
@@ -408,9 +408,11 @@ static bool JsonFrameLogCondition(ThreadVars *tv, void *thread_data, const Packe
 
     if ((p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP) && p->flow->alparser != NULL) {
         if (p->proto == IPPROTO_TCP) {
-            if ((p->flow->flags & FLOW_TS_APP_UPDATED) && PKT_IS_TOSERVER(p)) {
+            if ((PKT_IS_PSEUDOPKT(p) || (p->flow->flags & FLOW_TS_APP_UPDATED)) &&
+                    PKT_IS_TOSERVER(p)) {
                 // fallthrough
-            } else if ((p->flow->flags & FLOW_TC_APP_UPDATED) && PKT_IS_TOCLIENT(p)) {
+            } else if ((PKT_IS_PSEUDOPKT(p) || (p->flow->flags & FLOW_TC_APP_UPDATED)) &&
+                       PKT_IS_TOCLIENT(p)) {
                 // fallthrough
             } else {
                 return false;