eve/logging: 2991 Optimize logging by TX

This changeset makes changes to the TX logging path. Since the txn
is passed to the TX logger, the TX can be used directly instead of
through the TX id.

rust/src/applayertemplate/template.rs

@@ -416,14 +416,10 @@ pub extern "C" fn rs_template_tx_set_logged(
 
 #[no_mangle]
 pub extern "C" fn rs_template_state_get_events(
-    state: *mut libc::c_void,
-    tx_id: u64,
+    tx: *mut libc::c_void
 ) -> *mut core::AppLayerDecoderEvents {
-    let state = cast_pointer!(state, TemplateState);
-    match state.get_tx(tx_id) {
-        Some(tx) => tx.events,
-        _ => std::ptr::null_mut(),
-    }
+    let tx = cast_pointer!(tx, TemplateTransaction);
+    return tx.events;
 }
 
 #[no_mangle]

rust/src/dhcp/dhcp.rs

@@ -328,15 +328,11 @@ pub extern "C" fn rs_dhcp_tx_set_logged(_state: *mut libc::c_void,
 }
 
 #[no_mangle]
-pub extern "C" fn rs_dhcp_state_get_events(state: *mut libc::c_void,
-                                           tx_id: u64)
+pub extern "C" fn rs_dhcp_state_get_events(tx: *mut libc::c_void)
                                            -> *mut core::AppLayerDecoderEvents
 {
-    let state = cast_pointer!(state, DHCPState);
-    match state.get_tx(tx_id) {
-        Some(tx) => tx.events,
-        _        => std::ptr::null_mut(),
-    }
+    let tx = cast_pointer!(tx, DHCPTransaction);
+    return tx.events;
 }
 
 #[no_mangle]

rust/src/dns/dns.rs

@@ -745,18 +745,11 @@ pub extern "C" fn rs_dns_state_get_tx_detect_state(
 }
 
 #[no_mangle]
-pub extern "C" fn rs_dns_state_get_events(state: &mut DNSState,
-                                          tx_id: u64)
+pub extern "C" fn rs_dns_state_get_events(tx: *mut libc::c_void)
                                           -> *mut core::AppLayerDecoderEvents
 {
-    match state.get_tx(tx_id) {
-        Some(tx) => {
-            return tx.events;
-        }
-        _ => {
-            return std::ptr::null_mut();
-        }
-    }
+    let tx = cast_pointer!(tx, DNSTransaction);
+    return tx.events;
 }
 
 #[no_mangle]

rust/src/ikev2/ikev2.rs

@@ -571,15 +571,11 @@ pub extern "C" fn rs_ikev2_state_get_tx_detect_state(
 
 
 #[no_mangle]
-pub extern "C" fn rs_ikev2_state_get_events(state: *mut libc::c_void,
-                                          tx_id: u64)
+pub extern "C" fn rs_ikev2_state_get_events(tx: *mut libc::c_void)
                                           -> *mut core::AppLayerDecoderEvents
 {
-    let state = cast_pointer!(state,IKEV2State);
-    match state.get_tx_by_id(tx_id) {
-        Some(tx) => tx.events,
-        _        => std::ptr::null_mut(),
-    }
+    let tx = cast_pointer!(tx, IKEV2Transaction);
+    return tx.events;
 }
 
 #[no_mangle]

rust/src/krb/krb5.rs

@@ -367,15 +367,11 @@ pub extern "C" fn rs_krb5_state_get_tx_detect_state(
 
 
 #[no_mangle]
-pub extern "C" fn rs_krb5_state_get_events(state: *mut libc::c_void,
-                                          tx_id: u64)
+pub extern "C" fn rs_krb5_state_get_events(tx: *mut libc::c_void)
                                           -> *mut core::AppLayerDecoderEvents
 {
-    let state = cast_pointer!(state,KRB5State);
-    match state.get_tx_by_id(tx_id) {
-        Some(tx) => tx.events,
-        _        => std::ptr::null_mut(),
-    }
+    let tx = cast_pointer!(tx, KRB5Transaction);
+    return tx.events;
 }
 
 #[no_mangle]

rust/src/nfs/nfs.rs

@@ -1589,18 +1589,11 @@ pub extern "C" fn rs_nfs_tx_get_detect_flags(
 }
 
 #[no_mangle]
-pub extern "C" fn rs_nfs_state_get_events(state: &mut NFSState,
-                                          tx_id: u64)
+pub extern "C" fn rs_nfs_state_get_events(tx: *mut libc::c_void)
                                           -> *mut AppLayerDecoderEvents
 {
-    match state.get_tx_by_id(tx_id) {
-        Some(tx) => {
-            return tx.events;
-        }
-        _ => {
-            return std::ptr::null_mut();
-        }
-    }
+    let tx = cast_pointer!(tx, NFSTransaction);
+    return tx.events;
 }
 
 #[no_mangle]

rust/src/ntp/ntp.rs

@@ -304,15 +304,11 @@ pub extern "C" fn rs_ntp_state_get_tx_detect_state(
 
 
 #[no_mangle]
-pub extern "C" fn rs_ntp_state_get_events(state: *mut libc::c_void,
-                                          tx_id: u64)
+pub extern "C" fn rs_ntp_state_get_events(tx: *mut libc::c_void)
                                           -> *mut core::AppLayerDecoderEvents
 {
-    let state = cast_pointer!(state,NTPState);
-    match state.get_tx_by_id(tx_id) {
-        Some(tx) => tx.events,
-        _        => std::ptr::null_mut(),
-    }
+    let tx = cast_pointer!(tx, NTPTransaction);
+    return tx.events;
 }
 
 #[no_mangle]

rust/src/parser.rs

@@ -137,7 +137,7 @@ pub type StateGetProgressFn = extern "C" fn (*mut c_void, u8) -> c_int;
 pub type GetDetectStateFn   = extern "C" fn (*mut c_void) -> *mut DetectEngineState;
 pub type SetDetectStateFn   = extern "C" fn (*mut c_void, &mut DetectEngineState) -> c_int;
 pub type GetEventInfoFn     = extern "C" fn (*const c_char, *mut c_int, *mut AppLayerEventType) -> c_int;
-pub type GetEventsFn        = extern "C" fn (*mut c_void, u64) -> *mut AppLayerDecoderEvents;
+pub type GetEventsFn        = extern "C" fn (*mut c_void) -> *mut AppLayerDecoderEvents;
 pub type GetTxLoggedFn      = extern "C" fn (*mut c_void, *mut c_void) -> u32;
 pub type SetTxLoggedFn      = extern "C" fn (*mut c_void, *mut c_void, u32);
 pub type LocalStorageNewFn  = extern "C" fn () -> *mut c_void;

rust/src/smb/smb.rs

@@ -2104,18 +2104,11 @@ pub extern "C" fn rs_smb_state_truncate(
 }
 
 #[no_mangle]
-pub extern "C" fn rs_smb_state_get_events(state: &mut SMBState,
-                                          tx_id: u64)
+pub extern "C" fn rs_smb_state_get_events(tx: *mut libc::c_void)
                                           -> *mut AppLayerDecoderEvents
 {
-    match state.get_tx_by_id(tx_id) {
-        Some(tx) => {
-            return tx.events;
-        }
-        _ => {
-            return std::ptr::null_mut();
-        }
-    }
+    let tx = cast_pointer!(tx, SMBTransaction);
+    return tx.events;
 }
 
 #[no_mangle]

src/app-layer-dnp3.c

@@ -1309,23 +1309,9 @@ error:
     SCReturnInt(-1);
 }
 
-static AppLayerDecoderEvents *DNP3GetEvents(void *state, uint64_t tx_id)
+static AppLayerDecoderEvents *DNP3GetEvents(void *tx)
 {
-    DNP3State *dnp3 = state;
-    DNP3Transaction *tx;
-    uint64_t tx_num = tx_id + 1;
-
-    if (dnp3->curr && dnp3->curr->tx_num == tx_num) {
-        return dnp3->curr->decoder_events;
-    }
-
-    TAILQ_FOREACH(tx, &dnp3->tx_list, next) {
-        if (tx->tx_num == tx_num) {
-            return tx->decoder_events;
-        }
-    }
-
-    return NULL;
+    return ((DNP3Transaction *) tx)->decoder_events;
 }
 
 static void *DNP3GetTx(void *alstate, uint64_t tx_id)

src/app-layer-dns-tcp-rust.c

@@ -110,9 +110,9 @@ static int RustDNSSetTxDetectState(void *tx,
     return 0;
 }
 
-static AppLayerDecoderEvents *RustDNSGetEvents(void *state, uint64_t id)
+static AppLayerDecoderEvents *RustDNSGetEvents(void *tx)
 {
-    return rs_dns_state_get_events(state, id);
+    return rs_dns_state_get_events(tx);
 }
 
 void RegisterRustDNSTCPParsers(void)
@@ -170,6 +170,7 @@ void RegisterRustDNSTCPParsers(void)
         AppLayerParserRegisterGetStateProgressCompletionStatus(ALPROTO_DNS,
                 rs_dns_state_progress_completion_status);
         DNSAppLayerRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_DNS);
+        DNSAppLayerRegisterGetEventInfoById(IPPROTO_TCP, ALPROTO_DNS);
 
         /* This parser accepts gaps. */
         AppLayerParserRegisterOptionFlags(IPPROTO_TCP, ALPROTO_DNS,

src/app-layer-dns-udp-rust.c

@@ -116,9 +116,9 @@ static uint64_t RustDNSGetDetectFlags(void *tx, uint8_t dir)
     return rs_dns_tx_get_detect_flags(tx, dir);
 }
 
-static AppLayerDecoderEvents *RustDNSGetEvents(void *state, uint64_t id)
+static AppLayerDecoderEvents *RustDNSGetEvents(void *tx)
 {
-    return rs_dns_state_get_events(state, id);
+    return rs_dns_state_get_events(tx);
 }
 
 void RegisterRustDNSUDPParsers(void)
@@ -183,6 +183,7 @@ void RegisterRustDNSUDPParsers(void)
                 rs_dns_state_progress_completion_status);
 
         DNSAppLayerRegisterGetEventInfo(IPPROTO_UDP, ALPROTO_DNS);
+        DNSAppLayerRegisterGetEventInfoById(IPPROTO_UDP, ALPROTO_DNS);
 
 #if 0
         DNSUDPConfigure();

src/app-layer-enip.c

@@ -112,20 +112,9 @@ static uint64_t ENIPGetTxCnt(void *alstate)
     return ((uint64_t) ((ENIPState *) alstate)->transaction_max);
 }
 
-static AppLayerDecoderEvents *ENIPGetEvents(void *state, uint64_t id)
+static AppLayerDecoderEvents *ENIPGetEvents(void *tx)
 {
-    ENIPState         *enip = (ENIPState *) state;
-    ENIPTransaction   *tx;
-
-    if (enip->curr && enip->curr->tx_num == (id + 1))
-        return enip->curr->decoder_events;
-
-    TAILQ_FOREACH(tx, &enip->tx_list, next) {
-        if (tx->tx_num == (id+1))
-            return tx->decoder_events;
-    }
-
-    return NULL;
+    return ((ENIPTransaction *)tx)->decoder_events;
 }
 
 static int ENIPStateGetEventInfo(const char *event_name, int *event_id, AppLayerEventType *event_type)

src/app-layer-htp-file.c

@@ -1264,7 +1264,8 @@ static int HTPFileParserTest08(void)
     }
 
     FLOWLOCK_WRLOCK(f);
-    AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+    void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+    AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, tx);
     if (decoder_events == NULL) {
         printf("no app events: ");
         FLOWLOCK_UNLOCK(f);
@@ -1386,7 +1387,8 @@ static int HTPFileParserTest09(void)
     }
 
     FLOWLOCK_WRLOCK(f);
-    AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+    void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+    AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, tx);
     if (decoder_events == NULL) {
         printf("no app events: ");
         FLOWLOCK_UNLOCK(f);
@@ -1506,7 +1508,8 @@ static int HTPFileParserTest10(void)
     }
 
     FLOWLOCK_WRLOCK(f);
-    AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+    void *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+    AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, tx);
     if (decoder_events != NULL) {
         printf("app events: ");
         FLOWLOCK_UNLOCK(f);
@@ -1644,7 +1647,8 @@ static int HTPFileParserTest11(void)
     }
 
     FLOWLOCK_WRLOCK(f);
-    AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+    void *txtmp = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+    AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, txtmp);
     if (decoder_events != NULL) {
         printf("app events: ");
         FLOWLOCK_UNLOCK(f);

src/app-layer-htp.c

@@ -287,19 +287,16 @@ static void HTPSetEvent(HtpState *s, HtpTxUserData *htud, uint8_t e)
     SCLogDebug("couldn't set event %u", e);
 }
 
-static AppLayerDecoderEvents *HTPGetEvents(void *state, uint64_t tx_id)
+static AppLayerDecoderEvents *HTPGetEvents(void *tx)
 {
-    SCLogDebug("get HTTP events for TX %"PRIu64, tx_id);
+    SCLogDebug("get HTTP events for TX %p", tx);
 
-    HtpState *s = (HtpState *)state;
-    htp_tx_t *tx = HTPStateGetTx(s, tx_id);
-    if (tx != NULL) {
-        HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx);
-        if (htud != NULL) {
-            SCLogDebug("has htud, htud->decoder_events %p", htud->decoder_events);
-            return htud->decoder_events;
-        }
+    HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(tx);
+    if (htud != NULL) {
+        SCLogDebug("has htud, htud->decoder_events %p", htud->decoder_events);
+        return htud->decoder_events;
     }
+
     return NULL;
 }
 
@@ -6139,7 +6136,8 @@ libhtp:\n\
     FAIL_IF(tx->request_method_number != HTP_M_GET);
     FAIL_IF(tx->request_protocol_number != HTP_PROTOCOL_1_1);
 
-    AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+    void *txtmp = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+    AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, txtmp);
     FAIL_IF_NULL(decoder_events);
 
     FAIL_IF(decoder_events->events[0] != HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG);
@@ -6256,7 +6254,8 @@ libhtp:\n\
     }
 
     FLOWLOCK_WRLOCK(f);
-    AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+    void *txtmp = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+    AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, txtmp);
     if (decoder_events != NULL) {
         printf("app events: ");
         FLOWLOCK_UNLOCK(f);
@@ -6338,7 +6337,8 @@ static int HTPParserTest16(void)
     }
 
     FLOWLOCK_WRLOCK(f);
-    AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+    void *txtmp = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP,f->alstate, 0);
+    AppLayerDecoderEvents *decoder_events = AppLayerParserGetEventsByTx(IPPROTO_TCP, ALPROTO_HTTP, txtmp);
     if (decoder_events == NULL) {
         printf("no app events: ");
         FLOWLOCK_UNLOCK(f);

src/app-layer-modbus.c

@@ -214,20 +214,9 @@ static void ModbusSetEvent(ModbusState *modbus, uint8_t e)
         SCLogDebug("couldn't set event %u", e);
 }
 
-static AppLayerDecoderEvents *ModbusGetEvents(void *state, uint64_t id)
+static AppLayerDecoderEvents *ModbusGetEvents(void *tx)
 {
-    ModbusState         *modbus = (ModbusState *) state;
-    ModbusTransaction   *tx;
-
-    if (modbus->curr && modbus->curr->tx_num == (id + 1))
-        return modbus->curr->decoder_events;
-
-    TAILQ_FOREACH(tx, &modbus->tx_list, next) {
-        if (tx->tx_num == (id+1))
-            return tx->decoder_events;
-    }
-
-    return NULL;
+    return ((ModbusTransaction *)tx)->decoder_events;
 }
 
 static int ModbusGetAlstateProgress(void *modbus_tx, uint8_t direction)

src/app-layer-nfs-tcp.c

@@ -101,9 +101,17 @@ static int NFSTCPStateGetEventInfo(const char *event_name, int *event_id,
     return rs_nfs_state_get_event_info(event_name, event_id, event_type);
 }
 
-static AppLayerDecoderEvents *NFSTCPGetEvents(void *state, uint64_t id)
+static int NFSTCPStateGetEventInfoById(int event_id, const char **event_name,
+    AppLayerEventType *event_type)
 {
-    return rs_nfs_state_get_events(state, id);
+    *event_name = "NFS TCP event name (generic)";
+    *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
+    return 0;
+}
+
+static AppLayerDecoderEvents *NFSTCPGetEvents(void *tx)
+{
+    return rs_nfs_state_get_events(tx);
 }
 
 /**
@@ -378,6 +386,10 @@ void RegisterNFSTCPParsers(void)
 
         AppLayerParserRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_NFS,
                 NFSTCPStateGetEventInfo);
+
+        AppLayerParserRegisterGetEventInfoById(IPPROTO_TCP, ALPROTO_NFS,
+                NFSTCPStateGetEventInfoById);
+
         AppLayerParserRegisterGetEventsFunc(IPPROTO_TCP, ALPROTO_NFS,
                 NFSTCPGetEvents);
 

src/app-layer-nfs-udp.c

@@ -98,9 +98,17 @@ static int NFSStateGetEventInfo(const char *event_name, int *event_id,
     return rs_nfs_state_get_event_info(event_name, event_id, event_type);
 }
 
-static AppLayerDecoderEvents *NFSGetEvents(void *state, uint64_t id)
+static int NFSStateGetEventInfoById(int event_id, const char **event_name,
+    AppLayerEventType *event_type)
 {
-    return rs_nfs_state_get_events(state, id);
+    *event_name = "NFS UDP event name (generic)";
+    *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
+    return 0;
+}
+
+static AppLayerDecoderEvents *NFSGetEvents(void *tx)
+{
+    return rs_nfs_state_get_events(tx);
 }
 
 /**
@@ -338,6 +346,10 @@ void RegisterNFSUDPParsers(void)
 
         AppLayerParserRegisterGetEventInfo(IPPROTO_UDP, ALPROTO_NFS,
             NFSStateGetEventInfo);
+
+        AppLayerParserRegisterGetEventInfoById(IPPROTO_UDP, ALPROTO_NFS,
+            NFSStateGetEventInfoById);
+
         AppLayerParserRegisterGetEventsFunc(IPPROTO_UDP, ALPROTO_NFS,
             NFSGetEvents);
 

src/app-layer-parser.c

@@ -103,7 +103,7 @@ typedef struct AppLayerParserProtoCtx_
 
     void (*Truncate)(void *, uint8_t);
     FileContainer *(*StateGetFiles)(void *, uint8_t);
-    AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t);
+    AppLayerDecoderEvents *(*StateGetEvents)(void *);
 
     int (*StateGetProgress)(void *alstate, uint8_t direction);
     uint64_t (*StateGetTxCnt)(void *alstate);
@@ -433,7 +433,7 @@ void AppLayerParserRegisterGetFilesFunc(uint8_t ipproto, AppProto alproto,
 }
 
 void AppLayerParserRegisterGetEventsFunc(uint8_t ipproto, AppProto alproto,
-    AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t))
+    AppLayerDecoderEvents *(*StateGetEvents)(void *))
 {
     SCEnter();
 
@@ -844,7 +844,7 @@ void AppLayerParserSetDecoderEvents(AppLayerParserState *pstate, AppLayerDecoder
 }
 
 AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto,
-                                        void *alstate, uint64_t tx_id)
+                                        void *tx)
 {
     SCEnter();
 
@@ -854,7 +854,7 @@ AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alp
         StateGetEvents != NULL)
     {
         ptr = alp_ctx.ctxs[FlowGetProtoMapping(ipproto)][alproto].
-            StateGetEvents(alstate, tx_id);
+            StateGetEvents(tx);
     }
 
     SCReturnPtr(ptr, "AppLayerDecoderEvents *");

src/app-layer-parser.h

@@ -138,7 +138,7 @@ void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto proto,
 void AppLayerParserRegisterGetFilesFunc(uint8_t ipproto, AppProto alproto,
                              FileContainer *(*StateGetFiles)(void *, uint8_t));
 void AppLayerParserRegisterGetEventsFunc(uint8_t ipproto, AppProto proto,
-    AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t));
+    AppLayerDecoderEvents *(*StateGetEvents)(void *) __attribute__((nonnull)));
 void AppLayerParserRegisterLoggerFuncs(uint8_t ipproto, AppProto alproto,
                          LoggerId (*StateGetTxLogged)(void *, void *),
                          void (*StateSetTxLogged)(void *, void *, LoggerId));
@@ -200,8 +200,7 @@ void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *p
 
 AppLayerDecoderEvents *AppLayerParserGetDecoderEvents(AppLayerParserState *pstate);
 void AppLayerParserSetDecoderEvents(AppLayerParserState *pstate, AppLayerDecoderEvents *devents);
-AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *alstate,
-                                        uint64_t tx_id);
+AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx);
 FileContainer *AppLayerParserGetFiles(uint8_t ipproto, AppProto alproto,
                            void *alstate, uint8_t direction);
 int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto,

src/app-layer-register.h

@@ -54,7 +54,7 @@ typedef struct AppLayerParser {
     DetectEngineState *(*GetTxDetectState)(void *tx);
     int (*SetTxDetectState)(void *tx, DetectEngineState *);
 
-    AppLayerDecoderEvents *(*StateGetEvents)(void *, uint64_t);
+    AppLayerDecoderEvents *(*StateGetEvents)(void *);
     int (*StateGetEventInfo)(const char *event_name,
                              int *event_id, AppLayerEventType *event_type);
 

src/app-layer-smb.c

@@ -186,9 +186,17 @@ static FileContainer *SMBGetFiles(void *state, uint8_t direction)
     return rs_smb_getfiles(direction, state);
 }
 
-static AppLayerDecoderEvents *SMBGetEvents(void *state, uint64_t id)
+static AppLayerDecoderEvents *SMBGetEvents(void *tx)
 {
-    return rs_smb_state_get_events(state, id);
+    return rs_smb_state_get_events(tx);
+}
+
+static int SMBGetEventInfoById(int event_id, const char **event_name,
+    AppLayerEventType *event_type)
+{
+    *event_name = "SMB event name (generic)";
+    *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
+    return 0;
 }
 
 static int SMBGetEventInfo(const char *event_name, int *event_id,
@@ -302,6 +310,8 @@ void RegisterSMBParsers(void)
                 SMBGetEvents);
         AppLayerParserRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_SMB,
                 SMBGetEventInfo);
+        AppLayerParserRegisterGetEventInfoById(IPPROTO_TCP, ALPROTO_SMB,
+                SMBGetEventInfoById);
 
         AppLayerParserRegisterDetectStateFuncs(IPPROTO_TCP, ALPROTO_SMB,
                 SMBGetTxDetectState, SMBSetTxDetectState);

src/app-layer-smtp.c

@@ -1705,15 +1705,11 @@ static void SMTPStateTruncate(void *state, uint8_t direction)
     }
 }
 
-static AppLayerDecoderEvents *SMTPGetEvents(void *state, uint64_t tx_id)
+static AppLayerDecoderEvents *SMTPGetEvents(void *tx)
 {
-    SCLogDebug("get SMTP events for TX %"PRIu64, tx_id);
+    SCLogDebug("get SMTP events for TX %p", tx);
 
-    SMTPTransaction *tx = SMTPStateGetTx(state, tx_id);
-    if (tx != NULL) {
-        return tx->decoder_events;
-    }
-    return NULL;
+    return ((SMTPTransaction *)tx)->decoder_events;
 }
 
 static DetectEngineState *SMTPGetTxDetectState(void *vtx)

src/app-layer-ssl.c

@@ -164,9 +164,10 @@ void SSLSetEvent(SSLState *ssl_state, uint8_t event)
     ssl_state->events++;
 }
 
-static AppLayerDecoderEvents *SSLGetEvents(void *state, uint64_t id)
+static AppLayerDecoderEvents *SSLGetEvents(void *tx)
 {
-    SSLState *ssl_state = (SSLState *)state;
+    /* for TLS, TX == state, see GetTx */
+    SSLState *ssl_state = (SSLState *)tx;
     return ssl_state->decoder_events;
 }
 

src/app-layer-template.c

@@ -190,18 +190,9 @@ static int TemplateStateGetEventInfoById(int event_id, const char **event_name,
     return 0;
 }
 
-static AppLayerDecoderEvents *TemplateGetEvents(void *statev, uint64_t tx_id)
+static AppLayerDecoderEvents *TemplateGetEvents(void *tx)
 {
-    TemplateState *state = statev;
-    TemplateTransaction *tx;
-
-    TAILQ_FOREACH(tx, &state->tx_list, next) {
-        if (tx->tx_id == tx_id) {
-            return tx->decoder_events;
-        }
-    }
-
-    return NULL;
+    return ((TemplateTransaction *)tx)->decoder_events;
 }
 
 /**

src/app-layer-tftp.c

@@ -72,7 +72,7 @@ static int TFTPStateGetEventInfo(const char *event_name, int *event_id,
     return -1;
 }
 
-static AppLayerDecoderEvents *TFTPGetEvents(void *state, uint64_t tx_id)
+static AppLayerDecoderEvents *TFTPGetEvents(void *tx)
 {
     return NULL;
 }

src/detect-app-layer-event.c

@@ -95,7 +95,7 @@ static int DetectEngineAptEventInspect(ThreadVars *tv,
     DetectAppLayerEventData *aled = NULL;
 
     alproto = f->alproto;
-    decoder_events = AppLayerParserGetEventsByTx(f->proto, alproto, alstate, tx_id);
+    decoder_events = AppLayerParserGetEventsByTx(f->proto, alproto, tx);
     if (decoder_events == NULL)
         goto end;
 

src/output-json-anomaly.c

@@ -137,7 +137,7 @@ static int AnomalyDecodeEventJson(ThreadVars *tv, JsonAnomalyLogThread *aft,
 
 static int AnomalyAppLayerDecoderEventJson(JsonAnomalyLogThread *aft,
                         const Packet *p, AppLayerDecoderEvents *decoder_events,
-                        bool is_applayer, const char *layer, uint64_t tx_id)
+                        bool is_pktlayer, const char *layer, uint64_t tx_id)
 {
     const char *alprotoname = AppLayerGetProtoName(p->flow->alproto);
 
@@ -168,28 +168,20 @@ static int AnomalyAppLayerDecoderEventJson(JsonAnomalyLogThread *aft,
 
         JsonAddCommonOptions(&aft->json_output_ctx->cfg, p, p->flow, js);
 
-        /* Use app layer proto name if available */
-        if (alprotoname) {
-            json_object_set_new(ajs, "alproto", json_string(alprotoname));
-        } else {
-            json_object_set_new(ajs, "alproto",
-                p->flow ? json_integer(p->flow->alproto) : json_string("unknown"));
-        }
+        json_object_set_new(js, "app_proto", json_string(alprotoname));
 
         const char *event_name = NULL;
         uint8_t event_code = decoder_events->events[i];
         AppLayerEventType event_type;
         int r;
-        if (is_applayer) {
+        if (is_pktlayer) {
             r = AppLayerGetEventInfoById(event_code, &event_name, &event_type);
         } else {
             r = AppLayerParserGetEventInfoById(p->flow->proto, p->flow->alproto,
                                                event_code, &event_name, &event_type);
         }
         if (r == 0) {
-            json_object_set_new(ajs, "type",
-                        json_string(event_type == APP_LAYER_EVENT_TYPE_TRANSACTION ?
-                                    "transaction" : "packet"));
+            json_object_set_new(ajs, "type", json_string("applayer"));
             json_object_set_new(ajs, "event", json_string(event_name));
         } else {
             json_object_set_new(ajs, "type", json_string("unknown"));
@@ -220,15 +212,13 @@ static int AnomalyAppLayerDecoderEventJson(JsonAnomalyLogThread *aft,
 static int JsonAnomalyTxLogger(ThreadVars *tv, void *thread_data, const Packet *p,
                                Flow *f, void *state, void *tx, uint64_t tx_id)
 {
-    JsonAnomalyLogThread *aft = thread_data;
-    uint8_t proto = f->proto;
-    AppProto alproto = f->alproto;
     AppLayerDecoderEvents *decoder_events;
-    decoder_events = AppLayerParserGetEventsByTx(proto, alproto, state, tx_id);
-    if (decoder_events && (decoder_events->event_last_logged < decoder_events->cnt)) {
+    decoder_events = AppLayerParserGetEventsByTx(f->proto, f->alproto, tx);
+    if (decoder_events && decoder_events->event_last_logged < decoder_events->cnt) {
         SCLogDebug("state %p, tx: %p, tx_id: %"PRIu64, state, tx, tx_id);
+        JsonAnomalyLogThread *aft = thread_data;
         AnomalyAppLayerDecoderEventJson(aft, p, decoder_events, false,
-                                        "applayer_parser", tx_id);
+                                        "proto_parser", tx_id);
     }
     return TM_ECODE_OK;
 }
@@ -239,6 +229,11 @@ static inline bool AnomalyHasParserEvents(const Packet *p)
             AppLayerParserHasDecoderEvents(p->flow->alparser));
 }
 
+static inline bool AnomalyHasPacketAppLayerEvents(const Packet *p)
+{
+    return p->app_layer_events && p->app_layer_events->cnt;
+}
+
 static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *p)
 {
 
@@ -249,9 +244,9 @@ static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *
     }
 
     /* app layer events */
-    if (rc == TM_ECODE_OK && p->app_layer_events && p->app_layer_events->cnt) {
+    if (rc == TM_ECODE_OK && AnomalyHasPacketAppLayerEvents(p)) {
         rc = AnomalyAppLayerDecoderEventJson(aft, p, p->app_layer_events,
-                                             true, "app_layer", TX_ID_UNUSED);
+                                             true, "proto_detect", TX_ID_UNUSED);
     }
 
     /* parser state events */
@@ -275,7 +270,9 @@ static int JsonAnomalyLogger(ThreadVars *tv, void *thread_data, const Packet *p)
 
 static int JsonAnomalyLogCondition(ThreadVars *tv, const Packet *p)
 {
-    return p->events.cnt > 0 || p->app_layer_events || AnomalyHasParserEvents(p);
+    return p->events.cnt > 0 ||
+           (p->app_layer_events && p->app_layer_events->cnt > 0) ||
+           AnomalyHasParserEvents(p);
 }
 
 #define OUTPUT_BUFFER_SIZE 65535
@@ -323,16 +320,6 @@ static TmEcode JsonAnomalyLogThreadDeinit(ThreadVars *t, void *data)
     return TM_ECODE_OK;
 }
 
-static void JsonAnomalyLogDeInitCtx(OutputCtx *output_ctx)
-{
-    AnomalyJsonOutputCtx *json_output_ctx = (AnomalyJsonOutputCtx *) output_ctx->data;
-    if (json_output_ctx != NULL) {
-        LogFileFreeCtx(json_output_ctx->file_ctx);
-        SCFree(json_output_ctx);
-    }
-    SCFree(output_ctx);
-}
-
 static void JsonAnomalyLogDeInitCtxSub(OutputCtx *output_ctx)
 {
     SCLogDebug("cleaning up sub output_ctx %p", output_ctx);
@@ -369,50 +356,6 @@ static void JsonAnomalyLogConf(AnomalyJsonOutputCtx *json_output_ctx,
     json_output_ctx->flags |= flags;
 }
 
-/**
- * \brief Create a new LogFileCtx for "fast" output style.
- * \param conf The configuration node for this output.
- * \return A LogFileCtx pointer on success, NULL on failure.
- */
-static OutputInitResult JsonAnomalyLogInitCtx(ConfNode *conf)
-{
-    OutputInitResult result = { NULL, false };
-    AnomalyJsonOutputCtx *json_output_ctx = NULL;
-    LogFileCtx *logfile_ctx = LogFileNewCtx();
-    if (logfile_ctx == NULL) {
-        SCLogDebug("JsonAnomalyLogInitCtx: Could not create new LogFileCtx");
-        return result;
-    }
-
-    if (SCConfLogOpenGeneric(conf, logfile_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
-        LogFileFreeCtx(logfile_ctx);
-        return result;
-    }
-
-    OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
-    if (unlikely(output_ctx == NULL)) {
-        LogFileFreeCtx(logfile_ctx);
-        return result;
-    }
-
-    json_output_ctx = SCCalloc(1, sizeof(AnomalyJsonOutputCtx));
-    if (unlikely(json_output_ctx == NULL)) {
-        LogFileFreeCtx(logfile_ctx);
-        SCFree(output_ctx);
-        return result;
-    }
-
-    json_output_ctx->file_ctx = logfile_ctx;
-    JsonAnomalyLogConf(json_output_ctx, conf);
-
-    output_ctx->data = json_output_ctx;
-    output_ctx->DeInit = JsonAnomalyLogDeInitCtx;
-
-    result.ctx = output_ctx;
-    result.ok = true;
-    return result;
-}
-
 /**
  * \brief Create a new LogFileCtx for "fast" output style.
  * \param conf The configuration node for this output.
@@ -452,10 +395,6 @@ error:
 
 void JsonAnomalyLogRegister (void)
 {
-    OutputRegisterPacketModule(LOGGER_JSON_ANOMALY, MODULE_NAME, "anomaly-json-log",
-        JsonAnomalyLogInitCtx, JsonAnomalyLogger, JsonAnomalyLogCondition,
-        JsonAnomalyLogThreadInit, JsonAnomalyLogThreadDeinit, NULL);
-
     OutputRegisterPacketSubModule(LOGGER_JSON_ANOMALY, "eve-log", MODULE_NAME,
         "eve-log.anomaly", JsonAnomalyLogInitCtxSub, JsonAnomalyLogger,
         JsonAnomalyLogCondition, JsonAnomalyLogThreadInit, JsonAnomalyLogThreadDeinit,