alert/eve: move logging of rule text (jsonbuilder prep)

Move the logging of the rule text to where the alert object is being logged to remove the usage of json_object_get... Getting previously logged objects will not be possible with JsonBuilder.
5 years ago · f4f1fdbf86
parent f8f2a2bbc0
commit f4f1fdbf86
1 changed files with 4 additions and 7 deletions
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@ -342,6 +342,10 @@ void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, json_t *
        AlertJsonMetadata(json_output_ctx, pa, ajs);
    }

+    if (flags & LOG_JSON_RULE) {
+        json_object_set_new(ajs, "rule", json_string(pa->s->sig_str));
+    }
+
    /* alert */
    json_object_set_new(js, "alert", ajs);
 }
@ -561,13 +565,6 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
            JsonPacket(p, js, 0);
        }

-        /* signature text */
-        if (json_output_ctx->flags & LOG_JSON_RULE) {
-            hjs = json_object_get(js, "alert");
-            if (json_is_object(hjs))
-                json_object_set_new(hjs, "rule", json_string(pa->s->sig_str));
-        }
-
        HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg != NULL ?
            json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;;