eve: log app_proto in all event types

There was a regression between Suricata 7 and Suricata 8. The
app_proto was logged in almost all events in 7 and is only log
in a small subset (fileinfo, flow, frame, netflow) in 8.

This patch updates the code to log app_proto in all events if
there is a Flow available. It is making use of EveAddAppProto
function to get interesting information such as original
application protocol or difference between server and client
side.

Ticket: #7888

Author: regit

src/output-json-alert.c

@@ -722,8 +722,6 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
                 }
             }
 
-            EveAddAppProto(p->flow, jb);
-
             if (p->flowflags & FLOW_PKT_TOSERVER) {
                 SCJbSetString(jb, "direction", "to_server");
             } else {

src/output-json-file.c

@@ -189,8 +189,6 @@ SCJsonBuilder *JsonBuildFileInfoRecord(const Packet *p, const File *ff, void *tx
             break;
     }
 
-    SCJbSetString(js, "app_proto", AppProtoToString(p->flow->alproto));
-
     SCJbOpenObject(js, "fileinfo");
     if (stored) {
         // the file has just been stored on disk cf OUTPUT_FILEDATA_FLAG_CLOSE

src/output-json-frame.c

@@ -313,7 +313,6 @@ static int FrameJsonUdp(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p
         if (unlikely(jb == NULL))
             return TM_ECODE_OK;
 
-        SCJbSetString(jb, "app_proto", AppProtoToString(f->alproto));
         FrameJsonLogOneFrame(IPPROTO_UDP, frame, p->flow, NULL, p, jb, aft->payload_buffer);
         OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
         SCJbFree(jb);
@@ -387,7 +386,6 @@ static int FrameJson(ThreadVars *tv, JsonFrameLogThread *aft, const Packet *p)
             if (unlikely(jb == NULL))
                 return TM_ECODE_OK;
 
-            SCJbSetString(jb, "app_proto", AppProtoToString(p->flow->alproto));
             FrameJsonLogOneFrame(IPPROTO_TCP, frame, p->flow, stream, p, jb, aft->payload_buffer);
             OutputJsonBuilderBuffer(tv, p, p->flow, jb, aft->ctx);
             SCJbFree(jb);

src/output-json-netflow.c

@@ -228,7 +228,7 @@ static void NetFlowLogEveToServer(SCJsonBuilder *js, Flow *f)
 
 static void NetFlowLogEveToClient(SCJsonBuilder *js, Flow *f)
 {
-    SCJbSetString(js, "app_proto", AppProtoToString(f->alproto_tc ? f->alproto_tc : f->alproto));
+    EveAddAppProto(f, js);
 
     SCJbOpenObject(js, "netflow");
 

src/output-json.c

@@ -886,6 +886,8 @@ SCJsonBuilder *CreateEveHeader(const Packet *p, enum SCOutputJsonLogDirection di
 
     CreateEveFlowId(js, f);
 
+    EveAddAppProto(f, js);
+
     /* sensor id */
     if (sensor_id >= 0) {
         SCJbSetUint(js, "sensor_id", sensor_id);