eve: add tx_id to output for alerts and events

Add tx_id field for correlating alerts and events per tx.

src/output-json-alert.c

@@ -135,6 +135,9 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
                             json_string((pa->s->class_msg) ? pa->s->class_msg : ""));
         json_object_set_new(ajs, "severity", json_integer(pa->s->prio));
 
+        if (pa->flags & PACKET_ALERT_FLAG_TX)
+            json_object_set_new(ajs, "tx_id", json_integer(pa->tx_id));
+
         /* alert */
         json_object_set_new(js, "alert", ajs);
 

src/output-json-dns.c

@@ -70,7 +70,9 @@ typedef struct LogDnsLogThread_ {
     MemBuffer *buffer;
 } LogDnsLogThread;
 
-static void LogQuery(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx, DNSQueryEntry *entry) {
+static void LogQuery(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx,
+        uint64_t tx_id, DNSQueryEntry *entry)
+{
     MemBuffer *buffer = (MemBuffer *)aft->buffer;
 
     SCLogDebug("got a DNS request and now logging !!");
@@ -102,6 +104,9 @@ static void LogQuery(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx, DNSQu
     DNSCreateTypeString(entry->type, record, sizeof(record));
     json_object_set_new(djs, "rrtype", json_string(record));
 
+    /* tx id (tx counter) */
+    json_object_set_new(djs, "tx_id", json_integer(tx_id));
+
     /* dns */
     json_object_set_new(js, "dns", djs);
     OutputJSONBuffer(js, aft->dnslog_ctx->file_ctx, buffer);
@@ -174,7 +179,7 @@ static void OutputAnswer(LogDnsLogThread *aft, json_t *djs, DNSTransaction *tx,
     return;
 }
 
-static void LogAnswers(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx) {
+static void LogAnswers(LogDnsLogThread *aft, json_t *js, DNSTransaction *tx, uint64_t tx_id) {
 
     SCLogDebug("got a DNS response and now logging !!");
 
@@ -208,7 +213,7 @@ static int JsonDnsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flo
         if (unlikely(js == NULL))
             return TM_ECODE_OK;
 
-        LogQuery(td, js, tx, query);
+        LogQuery(td, js, tx, tx_id, query);
 
         json_decref(js);
     }
@@ -217,7 +222,7 @@ static int JsonDnsLogger(ThreadVars *tv, void *thread_data, const Packet *p, Flo
     if (unlikely(js == NULL))
         return TM_ECODE_OK;
 
-    LogAnswers(td, js, tx);
+    LogAnswers(td, js, tx, tx_id);
 
     json_decref(js);
 

src/output-json-file.c

@@ -232,6 +232,7 @@ static void FileWriteJsonRecord(JsonFileLogThread *aft, const Packet *p, const F
     json_object_set_new(fjs, "stored",
                         (ff->flags & FILE_STORED) ? json_true() : json_false());
     json_object_set_new(fjs, "size", json_integer(ff->size));
+    json_object_set_new(fjs, "tx_id", json_integer(ff->txid));
 
     /* originally just 'file', but due to bug 1127 naming it fileinfo */
     json_object_set_new(js, "fileinfo", fjs);

src/output-json-http.c

@@ -180,7 +180,7 @@ struct {
 
 
 /* JSON format logging */
-static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx)
+static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx, uint64_t tx_id)
 {
     LogHttpFileCtx *http_ctx = aft->httplog_ctx;
     json_t *hjs = json_object();
@@ -348,6 +348,9 @@ static void JsonHttpLogJSON(JsonHttpLogThread *aft, json_t *js, htp_tx_t *tx)
         json_object_set_new(hjs, "length", json_integer(tx->response_message_len));
     }
 
+    /* tx id for correlation with alerts */
+    json_object_set_new(hjs, "tx_id", json_integer(tx_id));
+
     json_object_set_new(js, "http", hjs);
 }
 
@@ -368,7 +371,7 @@ static int JsonHttpLogger(ThreadVars *tv, void *thread_data, const Packet *p, Fl
     /* reset */
     MemBufferReset(buffer);
 
-    JsonHttpLogJSON(jhl, js, tx);
+    JsonHttpLogJSON(jhl, js, tx, tx_id);
 
     OutputJSONBuffer(js, jhl->httplog_ctx->file_ctx, buffer);
     json_object_del(js, "http");