From faab853685bd841cecc5116964ab8e6ea2de26ec Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Sat, 13 Feb 2021 21:56:51 +0100
Subject: [PATCH] log/pcap and eve/alert: get pcap filename to support multi
 mode

This patch adds a function to get the current pcap file name that
will be used to current packet. This patch also  updates EVE
alerts to add pcap output filename when pcap capture is done in
multi or normal mode.
---
 src/log-pcap.c          | 22 ++++++++++++++++++++++
 src/log-pcap.h          |  1 +
 src/output-json-alert.c |  6 ++++++
 3 files changed, 29 insertions(+)

diff --git a/src/log-pcap.c b/src/log-pcap.c
index f3f3a9b475..631031e080 100644
--- a/src/log-pcap.c
+++ b/src/log-pcap.c
@@ -112,6 +112,8 @@ typedef struct PcapFileName_ {
     TAILQ_ENTRY(PcapFileName_) next; /**< Pointer to next Pcap File for tailq. */
 } PcapFileName;
 
+thread_local char *pcap_file_thread = NULL;
+
 typedef struct PcapLogProfileData_ {
     uint64_t total;
     uint64_t cnt;
@@ -1103,6 +1105,14 @@ static TmEcode PcapLogDataInit(ThreadVars *t, const void *initdata, void **data)
 #endif /* INIT_RING_BUFFER */
     }
 
+    if (pl->mode == LOGMODE_MULTI) {
+        PcapLogOpenFileCtx(td->pcap_log);
+    } else {
+        if (pl->filename == NULL) {
+            PcapLogOpenFileCtx(pl);
+        }
+    }
+
     return TM_ECODE_OK;
 }
 
@@ -1854,6 +1864,9 @@ static int PcapLogOpenFileCtx(PcapLogData *pl)
     SCLogDebug("Opening pcap file log %s", pf->filename);
     TAILQ_INSERT_TAIL(&pl->pcap_file_list, pf, next);
 
+    if (pl->mode == LOGMODE_MULTI || pl->mode == LOGMODE_NORMAL) {
+        pcap_file_thread = pl->filename;
+    }
     PCAPLOG_PROFILE_END(pl->profile_open);
     return 0;
 
@@ -1862,6 +1875,15 @@ error:
     return -1;
 }
 
+char *PcapLogGetFilename(void)
+{
+    /* return pcap filename per thread */
+    if (pcap_file_thread != NULL) {
+        return pcap_file_thread;
+    }
+    return NULL;
+}
+
 static int profiling_pcaplog_enabled = 0;
 static int profiling_pcaplog_output_to_file = 0;
 static char *profiling_pcaplog_file_name = NULL;
diff --git a/src/log-pcap.h b/src/log-pcap.h
index ebfe305f44..731a365b85 100644
--- a/src/log-pcap.h
+++ b/src/log-pcap.h
@@ -32,5 +32,6 @@
 
 void PcapLogRegister(void);
 void PcapLogProfileSetup(void);
+char *PcapLogGetFilename(void);
 
 #endif /* __LOG_PCAP_H__ */
diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 6e90f8ab06..3e0f69e8a9 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -54,6 +54,7 @@
 #include "util-classification-config.h"
 #include "util-syslog.h"
 #include "util-logopenfile.h"
+#include "log-pcap.h"
 
 #include "output.h"
 #include "output-json.h"
@@ -774,6 +775,11 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             EvePacket(p, jb, 0);
         }
 
+        char *pcap_filename = PcapLogGetFilename();
+        if (pcap_filename != NULL) {
+            jb_set_string(jb, "capture_file", pcap_filename);
+        }
+
         OutputJsonBuilderBuffer(jb, aft->ctx);
         jb_free(jb);
     }