From 9f4d59b3f79a77ed2faba663e4a54191bea17199 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Thu, 25 Feb 2021 22:48:16 +0100
Subject: [PATCH] detect/tag: add a tag for first packet

We may need to know that a packet has been tagged but is the
first one (and thus is not tagged).
---
 src/decode.h            | 1 +
 src/detect-engine-tag.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/decode.h b/src/decode.h
index be1e6d2b75..1b9806e748 100644
--- a/src/decode.h
+++ b/src/decode.h
@@ -1222,6 +1222,7 @@ void DecodeUnregisterCounters(void);
 
 /** We had no alert on flow before this packet */
 #define PKT_FIRST_ALERTS BIT_U32(29)
+#define PKT_FIRST_TAG    BIT_U32(30)
 
 /** \brief return 1 if the packet is a pseudo packet */
 #define PKT_IS_PSEUDOPKT(p) \
diff --git a/src/detect-engine-tag.c b/src/detect-engine-tag.c
index 5839bd1597..66409d17bd 100644
--- a/src/detect-engine-tag.c
+++ b/src/detect-engine-tag.c
@@ -276,6 +276,7 @@ static void TagHandlePacketFlow(Flow *f, Packet *p)
          * to log it (the alert will log it) */
         if (!(iter->flags & TAG_ENTRY_FLAG_SKIPPED_FIRST)) {
             iter->flags |= TAG_ENTRY_FLAG_SKIPPED_FIRST;
+            p->flags |= PKT_FIRST_TAG;
         } else {
             /* Update metrics; remove if tag expired; and set alerts */
             switch (iter->metric) {