eve/http: use eve-level xff config by default

The http section can still have an xff configuration which
will take priority over the eve level xff config.

src/output-json-http.c

@@ -61,6 +61,7 @@ typedef struct LogHttpFileCtx_ {
     uint64_t fields;/** Store fields */
     bool include_metadata;
     HttpXFFCfg *xff_cfg;
+    HttpXFFCfg *parent_xff_cfg;
 } LogHttpFileCtx;
 
 typedef struct JsonHttpLogThread_ {
@@ -468,7 +469,8 @@ static int JsonHttpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Fl
     MemBufferReset(jhl->buffer);
 
     JsonHttpLogJSON(jhl, js, tx, tx_id);
-    HttpXFFCfg *xff_cfg = jhl->httplog_ctx->xff_cfg;
+    HttpXFFCfg *xff_cfg = jhl->httplog_ctx->xff_cfg != NULL ?
+        jhl->httplog_ctx->xff_cfg : jhl->httplog_ctx->parent_xff_cfg;
 
     /* xff header */
     if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
@@ -603,7 +605,7 @@ static OutputInitResult OutputHttpLogInitSub(ConfNode *conf, OutputCtx *parent_c
     OutputInitResult result = { NULL, false };
     OutputJsonCtx *ojc = parent_ctx->data;
 
-    LogHttpFileCtx *http_ctx = SCMalloc(sizeof(LogHttpFileCtx));
+    LogHttpFileCtx *http_ctx = SCCalloc(1, sizeof(LogHttpFileCtx));
     if (unlikely(http_ctx == NULL))
         return result;
     memset(http_ctx, 0x00, sizeof(*http_ctx));
@@ -650,9 +652,14 @@ static OutputInitResult OutputHttpLogInitSub(ConfNode *conf, OutputCtx *parent_c
             }
         }
     }
-    http_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
-    if (http_ctx->xff_cfg != NULL) {
-        HttpXFFGetCfg(conf, http_ctx->xff_cfg);
+
+    if (conf != NULL && ConfNodeLookupChild(conf, "xff") != NULL) {
+        http_ctx->xff_cfg = SCCalloc(1, sizeof(HttpXFFCfg));
+        if (http_ctx->xff_cfg != NULL) {
+            HttpXFFGetCfg(conf, http_ctx->xff_cfg);
+        }
+    } else if (ojc->xff_cfg) {
+        http_ctx->parent_xff_cfg = ojc->xff_cfg;
     }
 
     output_ctx->data = http_ctx;

suricata.yaml.in

@@ -226,23 +226,6 @@ outputs:
             # custom allows additional http fields to be included in eve-log
             # the example below adds three additional fields when uncommented
             #custom: [Accept-Encoding, Accept-Language, Authorization]
-            # HTTP X-Forwarded-For support by adding an extra field or overwriting
-            # the source or destination IP address (depending on flow direction)
-            # with the one reported in the X-Forwarded-For HTTP header. This is
-            # helpful when reviewing alerts for traffic that is being reverse
-            # or forward proxied.
-            xff:
-              enabled: no
-              # Two operation modes are available, "extra-data" and "overwrite".
-              mode: extra-data
-              # Two proxy deployments are supported, "reverse" and "forward". In
-              # a "reverse" deployment the IP address used is the last one, in a
-              # "forward" deployment the first IP address is used.
-              deployment: reverse
-              # Header name where the actual IP address will be reported, if more
-              # than one IP address is present, the last IP address will be the
-              # one taken into consideration.
-              header: X-Forwarded-For
         - dns:
             # This configuration uses the new DNS logging format,
             # the old configuration is still available: