eve/tls: log ALPN for client and server

Part of the extended logging.

Logs `client_alpns` and `server_alpns` arrays in the tls object.

Ticket: #7055.

doc/userguide/output/eve/eve-json-format.rst

@@ -1046,6 +1046,8 @@ If extended logging is enabled the following fields are also included:
 * "ja3": The JA3 fingerprint consisting of both a JA3 hash and a JA3 string
 * "ja3s": The JA3S fingerprint consisting of both a JA3 hash and a JA3 string
 * "ja4": The JA4 client fingerprint for TLS
+* "client_alpns": array of strings with ALPN values
+* "server_alpns": array of strings with ALPN values
 
 JA3 and JA4 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints'/'app-layer.protocols.tls.ja4-fingerprints' to 'yes').
 

src/output-json-tls.c

@@ -263,6 +263,24 @@ static void JsonTlsLogJa3S(JsonBuilder *js, SSLState *ssl_state)
     }
 }
 
+static void JsonTlsLogAlpns(JsonBuilder *js, SSLStateConnp *connp, const char *object)
+{
+    if (TAILQ_EMPTY(&connp->alpns)) {
+        return;
+    }
+
+    SSLAlpns *a = TAILQ_FIRST(&connp->alpns);
+    if (a == NULL) {
+        return;
+    }
+
+    jb_open_array(js, object);
+    TAILQ_FOREACH (a, &connp->alpns, next) {
+        jb_append_string_from_bytes(js, a->alpn, a->size);
+    }
+    jb_close(js);
+}
+
 static void JsonTlsLogCertificate(JsonBuilder *js, SSLStateConnp *connp)
 {
     if (TAILQ_EMPTY(&connp->certs)) {
@@ -457,6 +475,9 @@ static bool JsonTlsLogJSONExtendedAux(void *vtx, JsonBuilder *tjs)
     /* tls ja4 */
     JsonTlsLogSCJA4(tjs, state);
 
+    JsonTlsLogAlpns(tjs, &state->client_connp, "client_alpns");
+    JsonTlsLogAlpns(tjs, &state->server_connp, "server_alpns");
+
     if (HasClientCert(&state->client_connp)) {
         jb_open_object(tjs, "client");
         JsonTlsLogClientCert(tjs, &state->client_connp, false, false);