From 66da9d0ba68dade5decae23349b8f564b5616c3a Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Mon, 26 Jun 2017 10:41:11 +0200
Subject: [PATCH] output-json-alert: rename applayer to metadata

---
 src/output-json-alert.c | 8 ++++----
 suricata.yaml.in        | 3 +--
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 460ae7a73e..cd177ae965 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -88,7 +88,7 @@
 #define LOG_JSON_APP_LAYER      BIT_U16(10)
 #define LOG_JSON_FLOW           BIT_U16(11)
 
-#define LOG_JSON_APP_LAYER_ALL  (LOG_JSON_APP_LAYER|LOG_JSON_HTTP|LOG_JSON_TLS|LOG_JSON_SSH|LOG_JSON_SMTP|LOG_JSON_DNP3|LOG_JSON_FLOW)
+#define LOG_JSON_METADATA_ALL  (LOG_JSON_APP_LAYER|LOG_JSON_HTTP|LOG_JSON_TLS|LOG_JSON_SSH|LOG_JSON_SMTP|LOG_JSON_DNP3|LOG_JSON_VARS|LOG_JSON_FLOW)
 
 #define JSON_STREAM_BUFFER_SIZE 4096
 
@@ -765,7 +765,7 @@ static void XffSetup(AlertJsonOutputCtx *json_output_ctx, ConfNode *conf)
         const char *tagged_packets = ConfNodeLookupChildValue(conf, "tagged-packets");
         const char *dnp3 = ConfNodeLookupChildValue(conf, "dnp3");
         const char *vars = ConfNodeLookupChildValue(conf, "vars");
-        const char *applayer = ConfNodeLookupChildValue(conf, "applayer");
+        const char *metadata = ConfNodeLookupChildValue(conf, "metadata");
         const char *flow = ConfNodeLookupChildValue(conf, "flow");
 
         if (flow != NULL) {
@@ -778,8 +778,8 @@ static void XffSetup(AlertJsonOutputCtx *json_output_ctx, ConfNode *conf)
                 json_output_ctx->flags |= LOG_JSON_VARS;
             }
         }
-        if (applayer != NULL && ConfValIsTrue(applayer)) {
-            json_output_ctx->flags |= LOG_JSON_APP_LAYER_ALL;
+        if (metadata != NULL && ConfValIsTrue(metadata)) {
+            json_output_ctx->flags |= LOG_JSON_METADATA_ALL;
         }
         if (ssh != NULL) {
             if (ConfValIsTrue(ssh)) {
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 9cff73b7a0..7b2b679c89 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -166,8 +166,7 @@ outputs:
             # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
             # payload-printable: yes   # enable dumping payload in printable (lossy) format
             # packet: yes              # enable dumping of packet (without stream segments)
-            applayer: yes            # add L7/applayer fields to the alert
-            vars: yes                # enable dumping of flowbits and other vars
+            metadata: yes              # add L7/applayer fields, flowbit and other vars to the alert
 
             # Enable the logging of tagged packets for rules using the
             # "tag" keyword.