From 7274ad58aaeab5a65d49aa8d60839d7cf1f56e00 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 18 Apr 2024 11:54:34 +0200
Subject: [PATCH] detect: use direction-based tx for app-layer logging

When we only have stream matches.

Ticket: 6846

This solves the case where another transaction was created
by parsing data in the other direction, before running the
detection.

Like
1. get data in direction 1
2. acked data: parse it, but do not run detection in dir 1
3. other data in direction 2
4. other data acked : parse it and create new tx,
then run detection for direction 1 with data from first packet
---
 src/detect.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/detect.c b/src/detect.c
index 9d595e66dc..0fc08ee532 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -812,9 +812,11 @@ static inline void DetectRulePacketRules(
                 (s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP)) {
             // if there is a stream match (TCP), or
             // a UDP specific app-layer signature,
-            // try to use the last tx
+            // try to use the good tx for the packet direction
             if (pflow->alstate) {
-                txid = AppLayerParserGetTxCnt(pflow, pflow->alstate) - 1;
+                uint8_t dir =
+                        (p->flowflags & FLOW_PKT_TOCLIENT) ? STREAM_TOCLIENT : STREAM_TOSERVER;
+                txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir);
                 alert_flags |= PACKET_ALERT_FLAG_TX;
             }
         }