From 7bec7d59c41d0b2270720eb3f98e201854be851a Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 26 Nov 2024 21:44:45 +0100
Subject: [PATCH] detect: log app-layer metadata in alert with single tx

Ticket: 7199

When there is a single transaction, we cannot pick a wrong
transaction to log, even if the rule does not use app-layer
keywords.
---
 src/detect.c | 28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/src/detect.c b/src/detect.c
index 03fa8437068d..2c0752287448 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -813,24 +813,22 @@ static inline void DetectRulePacketRules(
         DetectRunPostMatch(tv, det_ctx, p, s);
 
         uint64_t txid = PACKET_ALERT_NOTX;
-        if ((alert_flags & PACKET_ALERT_FLAG_STREAM_MATCH) ||
-                (s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP)) {
+        if (pflow && pflow->alstate &&
+                ((alert_flags & PACKET_ALERT_FLAG_STREAM_MATCH) ||
+                        (s->alproto != ALPROTO_UNKNOWN && pflow->proto == IPPROTO_UDP) ||
+                        AppLayerParserGetTxCnt(pflow, pflow->alstate) == 1)) {
             // if there is a stream match (TCP), or
             // a UDP specific app-layer signature,
+            // or only one transaction
             // try to use the good tx for the packet direction
-            if (pflow->alstate) {
-                uint8_t dir =
-                        (p->flowflags & FLOW_PKT_TOCLIENT) ? STREAM_TOCLIENT : STREAM_TOSERVER;
-                txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir);
-                void *tx_ptr =
-                        AppLayerParserGetTx(pflow->proto, pflow->alproto, pflow->alstate, txid);
-                AppLayerTxData *txd =
-                        tx_ptr ? AppLayerParserGetTxData(pflow->proto, pflow->alproto, tx_ptr)
-                               : NULL;
-                if (txd && txd->stream_logged < de_ctx->stream_tx_log_limit) {
-                    alert_flags |= PACKET_ALERT_FLAG_TX;
-                    txd->stream_logged++;
-                }
+            uint8_t dir = (p->flowflags & FLOW_PKT_TOCLIENT) ? STREAM_TOCLIENT : STREAM_TOSERVER;
+            txid = AppLayerParserGetTransactionInspectId(pflow->alparser, dir);
+            void *tx_ptr = AppLayerParserGetTx(pflow->proto, pflow->alproto, pflow->alstate, txid);
+            AppLayerTxData *txd =
+                    tx_ptr ? AppLayerParserGetTxData(pflow->proto, pflow->alproto, tx_ptr) : NULL;
+            if (txd && txd->stream_logged < de_ctx->stream_tx_log_limit) {
+                alert_flags |= PACKET_ALERT_FLAG_TX;
+                txd->stream_logged++;
             }
         }
         AlertQueueAppend(det_ctx, s, p, txid, alert_flags);