From 27dd0c6b3def8149168eda8ae93aeee082645ff1 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 30 Nov 2021 14:21:48 +0100
Subject: [PATCH] eve/ftp-data: log alert metadata in ftp-data object

Ticket: 4860

instead of directly in root
---
 doc/userguide/upgrade.rst | 1 +
 src/output-json-alert.c   | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
index 96b8f0518a..e93e8c467b 100644
--- a/doc/userguide/upgrade.rst
+++ b/doc/userguide/upgrade.rst
@@ -45,6 +45,7 @@ Logging changes
 ~~~~~~~~~~~~~~~
 - IKEv2 Eve logging changed, the event_type has become ``ike``. The fields ``errors`` and ``notify`` have moved to
   ``ike.ikev2.errors`` and ``ike.ikev2.notify``.
+- FTP DATA metadata for alerts are now logged in ``ftp_data`` instead of root.
 
 Other changes
 ~~~~~~~~~~~~~
diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 0ebe6fe0c1..50d9bc216d 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -519,7 +519,10 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
             }
             break;
         case ALPROTO_FTPDATA:
+            jb_get_mark(jb, &mark);
+            jb_open_object(jb, "ftp_data");
             EveFTPDataAddMetadata(p->flow, jb);
+            jb_close(jb);
             break;
         case ALPROTO_DNP3:
             AlertJsonDnp3(p->flow, tx_id, jb);