From 829bab295b1bdf58c7df00a62b2d083294744b5c Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Thu, 23 Nov 2023 06:49:41 +0100
Subject: [PATCH] eve/frame: implement payload-buffer-size option

Modeled after the same option in eve/alert. Defaults to 4k.
---
 src/output-json-frame.c | 14 ++++++++++++++
 suricata.yaml.in        |  1 +
 2 files changed, 15 insertions(+)

diff --git a/src/output-json-frame.c b/src/output-json-frame.c
index 665010a6e4..3bccdc6b2f 100644
--- a/src/output-json-frame.c
+++ b/src/output-json-frame.c
@@ -482,8 +482,22 @@ static OutputInitResult JsonFrameLogInitCtxSub(ConfNode *conf, OutputCtx *parent
         goto error;
     }
 
+    uint32_t payload_buffer_size = 4096;
+    if (conf != NULL) {
+        const char *payload_buffer_value = ConfNodeLookupChildValue(conf, "payload-buffer-size");
+        if (payload_buffer_value != NULL) {
+            uint32_t value;
+            if (ParseSizeStringU32(payload_buffer_value, &value) < 0) {
+                SCLogError("Error parsing payload-buffer-size \"%s\"", payload_buffer_value);
+                goto error;
+            }
+            payload_buffer_size = value;
+        }
+    }
+
     json_output_ctx->file_ctx = ajt->file_ctx;
     json_output_ctx->eve_ctx = ajt;
+    json_output_ctx->payload_buffer_size = payload_buffer_size;
 
     output_ctx->data = json_output_ctx;
     output_ctx->DeInit = JsonFrameLogDeInitCtxSub;
diff --git a/suricata.yaml.in b/suricata.yaml.in
index a6d91b27d4..38f5152f5d 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -177,6 +177,7 @@ outputs:
         - frame:
             # disabled by default as this is very verbose.
             enabled: no
+            # payload-buffer-size: 4kb # max size of frame payload buffer to output in eve-log
         - anomaly:
             # Anomaly log records describe unexpected conditions such
             # as truncated packets, packets with invalid IP/UDP/TCP