output-json-tls: log 'from_proto' field

Log the original application level protocol when protocol have been changed because of STARTTLS, HTTP CONNECT or similar.
8 years ago · 74aa65073b
parent e8800b1893
commit 74aa65073b
1 changed files with 7 additions and 0 deletions
--- a/src/output-json-tls.c
+++ b/src/output-json-tls.c
@ -383,6 +383,13 @@ static int JsonTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
        JsonTlsLogJSONBasic(tjs, ssl_state);
    }

+    /* print original application level protocol when it have been changed
+       because of STARTTLS, HTTP CONNECT, or similar. */
+    if (f->alproto_orig != ALPROTO_UNKNOWN) {
+        json_object_set_new(tjs, "from_proto",
+                json_string(AppLayerGetProtoName(f->alproto_orig)));
+    }
+
    json_object_set_new(js, "tls", tjs);

    OutputJSONBuffer(js, tls_ctx->file_ctx, &aft->buffer);