From 2700abcd65df86c044f3c71a1945e8841dce989f Mon Sep 17 00:00:00 2001
From: Eric Leblond <el@stamus-networks.com>
Date: Sat, 2 Nov 2024 10:38:10 +0100
Subject: [PATCH 1/2] tests: fix invalid settings

---
 tests/filestore-v2.7-stream-depth/suricata.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/tests/filestore-v2.7-stream-depth/suricata.yaml b/tests/filestore-v2.7-stream-depth/suricata.yaml
index 46a2d1c4a..11e4ba960 100644
--- a/tests/filestore-v2.7-stream-depth/suricata.yaml
+++ b/tests/filestore-v2.7-stream-depth/suricata.yaml
@@ -6,11 +6,12 @@ outputs:
       enabled: yes
       types:
         - files
-  - stream:
-      reassembly:
-          depth: 1000
   - file-store:
       version: 2
       enabled: yes
       force-filestore: yes
       stream-depth: 100000
+
+stream:
+  reassembly:
+    depth: 1000

From 32d020c16d34c4b31a72a1c62a37766f4c558534 Mon Sep 17 00:00:00 2001
From: Eric Leblond <el@stamus-networks.com>
Date: Sat, 2 Nov 2024 10:48:38 +0100
Subject: [PATCH 2/2] tests: add file_data logging test

---
 tests/eve-alert-file_data/suricata.yaml | 20 ++++++++++++++++++++
 tests/eve-alert-file_data/test.rules    |  1 +
 tests/eve-alert-file_data/test.yaml     | 15 +++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 tests/eve-alert-file_data/suricata.yaml
 create mode 100644 tests/eve-alert-file_data/test.rules
 create mode 100644 tests/eve-alert-file_data/test.yaml

diff --git a/tests/eve-alert-file_data/suricata.yaml b/tests/eve-alert-file_data/suricata.yaml
new file mode 100644
index 000000000..0630393e2
--- /dev/null
+++ b/tests/eve-alert-file_data/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+
+      # Enable to disable top-level metadata logging. Default: yes.
+      #metadata: no
+
+      types:
+        - alert:
+            file-data: yes
+            payload-buffer-size: 50
+        - files
diff --git a/tests/eve-alert-file_data/test.rules b/tests/eve-alert-file_data/test.rules
new file mode 100644
index 000000000..5754487db
--- /dev/null
+++ b/tests/eve-alert-file_data/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"TEST"; flow:established,to_client; file.data; content:"|50 4E 47|"; sid:1; rev:1;)
diff --git a/tests/eve-alert-file_data/test.yaml b/tests/eve-alert-file_data/test.yaml
new file mode 100644
index 000000000..13ed8d579
--- /dev/null
+++ b/tests/eve-alert-file_data/test.yaml
@@ -0,0 +1,15 @@
+pcap: ../filestore-filecontainer-http/filecontainer-http.pcap
+
+args:
+  - -k none
+
+requires:
+  script:
+    - grep LOG_JSON_FILE_DATA src/output-json-alert.c > /dev/null
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        files[0].data:  iVBORw0KGgoAAAANSUhEUgAAACQAAAAkCAYAAADhAJiYAAAAGXRFWHRTb2Z0d2FyZQA=