output/anomaly: Record decoder detect events

Ticket: #4898
OISF · Dec 12, 2021 · 282f784 · 282f784
1 parent f1b3b3f
commit 282f784
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/src/output-json-anomaly.c b/src/output-json-anomaly.c
@@ -242,6 +242,11 @@ static inline bool AnomalyHasPacketAppLayerEvents(const Packet *p)
     return p->app_layer_events && p->app_layer_events->cnt;
 }
 
+static inline bool AnomalyHasPacketDecoderEvents(const Packet *p)
+{
+    return p->decoder_events && p->decoder_events->cnt;
+}
+
 static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *p)
 {
     int rc = TM_ECODE_OK;
@@ -261,6 +266,11 @@ static int AnomalyJson(ThreadVars *tv, JsonAnomalyLogThread *aft, const Packet *
                                                  true, "proto_detect", TX_ID_UNUSED);
         }
 
+        if (rc == TM_ECODE_OK && AnomalyHasPacketDecoderEvents(p)) {
+            rc = AnomalyAppLayerDecoderEventJson(
+                    aft, p, p->decoder_events, true, "decoder_detect", TX_ID_UNUSED);
+        }
+
         /* parser state events */
         if (rc == TM_ECODE_OK && AnomalyHasParserEvents(p)) {
             SCLogDebug("Checking for anomaly events; alproto %d", p->flow->alproto);
@@ -283,9 +293,8 @@ static int JsonAnomalyLogger(ThreadVars *tv, void *thread_data, const Packet *p)
 
 static int JsonAnomalyLogCondition(ThreadVars *tv, const Packet *p)
 {
-    return p->events.cnt > 0 ||
-           (p->app_layer_events && p->app_layer_events->cnt > 0) ||
-           AnomalyHasParserEvents(p);
+    return p->events.cnt > 0 || (p->app_layer_events && p->app_layer_events->cnt > 0) ||
+           (p->decoder_events && p->decoder_events->cnt > 0) || AnomalyHasParserEvents(p);
 }
 
 static TmEcode JsonAnomalyLogThreadInit(ThreadVars *t, const void *initdata, void **data)