ftp-data: check direction before finished state

catenacyber · victorjulien · commit be2d80a8e719 · 2026-04-22T21:07:14.000Z
Ticket: 6813

So, in the case we have a ftp-data flow with data to client as
expected, but after to_client side completes (with timeout for
example), the client sends some data to server,

In this case, we want to check first the direction, and bail out,
then do the assertion check about the finished state.
diff --git a/src/app-layer-ftp.c b/src/app-layer-ftp.c
@@ -1075,11 +1075,6 @@ static AppLayerResult FTPDataParse(Flow *f, FtpDataState *ftpdata_state,
         SCFlowFreeStorageById(f, AppLayerExpectationGetFlowId());
         ftpdata_state->tx_data.files_opened = 1;
     } else {
-        if (ftpdata_state->state == FTPDATA_STATE_FINISHED) {
-            SCLogDebug("state is already finished");
-            DEBUG_VALIDATE_BUG_ON(input_len); // data after state finished is a bug.
-            SCReturnStruct(APP_LAYER_OK);
-        }
         if ((direction & ftpdata_state->direction) == 0) {
             if (input_len) {
                 // TODO set event for data in wrong direction
@@ -1090,6 +1085,11 @@ static AppLayerResult FTPDataParse(Flow *f, FtpDataState *ftpdata_state,
                     (ftpdata_state->direction & STREAM_TOSERVER) ? "toserver" : "toclient");
             SCReturnStruct(APP_LAYER_OK);
         }
+        if (ftpdata_state->state == FTPDATA_STATE_FINISHED) {
+            SCLogDebug("state is already finished");
+            DEBUG_VALIDATE_BUG_ON(input_len); // data after state finished is a bug.
+            SCReturnStruct(APP_LAYER_OK);
+        }
         if (input_len != 0) {
             ret = FileAppendData(ftpdata_state->files, &sbcfg, input, input_len);
             if (ret == -2) {
