From 3ca663d7ffe98e9c77f18bc0efff3bad5753f24c Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Wed, 28 Sep 2016 13:50:01 +0200
Subject: [PATCH] output-json-flow: display bypass method

In the case of a bypassed flow we add a 'bypass' key that can
be 'local' or 'capture'. This will allow the user to know if
capture bypass method is failing by looking at the 'bypass' key.
---
 src/output-json-flow.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/output-json-flow.c b/src/output-json-flow.c
index 8e34169e38..26723fdf02 100644
--- a/src/output-json-flow.c
+++ b/src/output-json-flow.c
@@ -219,8 +219,24 @@ static void JsonFlowLogJSON(JsonFlowLogThread *aft, json_t *js, Flow *f)
         state = "established";
     else if (f->flow_end_flags & FLOW_END_FLAG_STATE_CLOSED)
         state = "closed";
-    else if (f->flow_end_flags & FLOW_END_FLAG_STATE_BYPASSED)
+    else if (f->flow_end_flags & FLOW_END_FLAG_STATE_BYPASSED) {
         state = "bypassed";
+        int flow_state = SC_ATOMIC_GET(f->flow_state);
+        switch (flow_state) {
+            case FLOW_STATE_LOCAL_BYPASSED:
+                json_object_set_new(hjs, "bypass",
+                        json_string("local"));
+                break;
+            case FLOW_STATE_CAPTURE_BYPASSED:
+                json_object_set_new(hjs, "bypass",
+                        json_string("capture"));
+                break;
+            default:
+                SCLogError(SC_ERR_INVALID_VALUE,
+                           "Invalid flow state: %d, contact developers",
+                           flow_state);
+        }
+    }
 
     json_object_set_new(hjs, "state",
             json_string(state));