eve/drop: don't log drops unless packet is dropped

In pass/drop combinations where the pass rule took precendence over the drop, a "drop" false positive could still be logged due to the storing of the drop record in the packet drop alert store. Bug: #5867. (cherry picked from commit 0934856)
OISF · Mar 28, 2023 · 517132b · 517132b
1 parent 7838fc8
commit 517132b
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/src/output-json-drop.c b/src/output-json-drop.c
@@ -357,6 +357,10 @@ static int JsonDropLogCondition(ThreadVars *tv, const Packet *p)
         return FALSE;
     }
 
+    if (!PACKET_TEST_ACTION(p, ACTION_DROP)) {
+        return FALSE;
+    }
+
     if (g_droplog_flows_start && p->flow != NULL) {
         int ret = FALSE;
 
@@ -373,11 +377,9 @@ static int JsonDropLogCondition(ThreadVars *tv, const Packet *p)
             ret = TRUE;
 
         return ret;
-    } else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
-        return TRUE;
     }
 
-    return FALSE;
+    return TRUE;
 }
 
 void JsonDropLogRegister (void)