log: rename http.xff to http.xff_header

Ticket: 4860 So as to differentiate between .xff which is just one IP, depending on the configuration first or last, and .http.xff_header which is the complete header value
OISF · Feb 22, 2022 · 01d3df9 · 01d3df9
1 parent b1c0936
commit 01d3df9
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
@@ -46,6 +46,7 @@ Logging changes
 - IKEv2 Eve logging changed, the event_type has become ``ike``. The fields ``errors`` and ``notify`` have moved to
   ``ike.ikev2.errors`` and ``ike.ikev2.notify``.
 - FTP DATA metadata for alerts are now logged in ``ftp_data`` instead of root.
+- HTTP xff header is now logged as ``http.xff_header`` instead of ``http.xff`` while the root object ``.xff`` remains the same
 
 Other changes
 ~~~~~~~~~~~~~

diff --git a/src/output-json-http.c b/src/output-json-http.c
@@ -229,7 +229,7 @@ static void EveHttpLogJSONBasic(JsonBuilder *js, htp_tx_t *tx)
         /* x-forwarded-for */
         htp_header_t *h_x_forwarded_for = htp_table_get_c(tx->request_headers, "x-forwarded-for");
         if (h_x_forwarded_for != NULL) {
-            jb_set_string_from_bytes(js, "xff", bstr_ptr(h_x_forwarded_for->value),
+            jb_set_string_from_bytes(js, "xff_header", bstr_ptr(h_x_forwarded_for->value),
                     bstr_len(h_x_forwarded_for->value));
         }
     }