From aa0286d925bb6e5b250b2f50e4f10e027fa4521d Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Fri, 5 Jun 2020 07:14:20 +0200
Subject: [PATCH] eve/anomaly: don't add timestamp twice

Timestamp is added unconditionally by CreateEveHeader(), so no need
to have a local timestamp in case of non-IP packets.
---
 src/output-json-anomaly.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/src/output-json-anomaly.c b/src/output-json-anomaly.c
index a6b46b9e03..e9980446b3 100644
--- a/src/output-json-anomaly.c
+++ b/src/output-json-anomaly.c
@@ -88,13 +88,10 @@ static int AnomalyDecodeEventJson(ThreadVars *tv, JsonAnomalyLogThread *aft,
                                   const Packet *p)
 {
     const bool is_ip_pkt = PKT_IS_IPV4(p) || PKT_IS_IPV6(p);
-
-    char timebuf[64];
-    CreateIsoTimeString(&p->ts, timebuf, sizeof(timebuf));
-
     const uint16_t log_type = aft->json_output_ctx->flags;
     const bool log_stream = log_type & LOG_JSON_STREAM_TYPE;
     const bool log_decode = log_type & LOG_JSON_DECODE_TYPE;
+
     for (int i = 0; i < p->events.cnt; i++) {
         uint8_t event_code = p->events.events[i];
         bool is_decode = EVENT_IS_DECODER_PACKET_ERROR(event_code);
@@ -112,16 +109,14 @@ static int AnomalyDecodeEventJson(ThreadVars *tv, JsonAnomalyLogThread *aft,
 
         jb_open_object(js, ANOMALY_EVENT_TYPE);
 
-        if (!is_ip_pkt) {
-            jb_set_string(js, "timestamp", timebuf);
-        } else {
+        if (is_ip_pkt) {
             EveAddCommonOptions(&aft->json_output_ctx->cfg, p, p->flow, js);
         }
 
         if (event_code < DECODE_EVENT_MAX) {
             const char *event = DEvents[event_code].event_name;
             jb_set_string(js, "type",
-                                EVENT_IS_DECODER_PACKET_ERROR(event_code) ? 
+                                EVENT_IS_DECODER_PACKET_ERROR(event_code) ?
                                     "decode" : "stream");
             jb_set_string(js, "event", event);
         } else {