From d44b35323d211ed09957aca9b3517eea89b0f39e Mon Sep 17 00:00:00 2001
From: Seth Grover <seth.d.grover@gmail.com>
Date: Tue, 25 Jun 2024 14:12:03 -0600
Subject: [PATCH] tweaks for idaholab/Malcolm#419, testing ja4+ merge

---
 logstash/pipelines/zeek/13_zeek_normalize.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/logstash/pipelines/zeek/13_zeek_normalize.conf b/logstash/pipelines/zeek/13_zeek_normalize.conf
index 8b96cbb98..c7d20fdad 100644
--- a/logstash/pipelines/zeek/13_zeek_normalize.conf
+++ b/logstash/pipelines/zeek/13_zeek_normalize.conf
@@ -1369,7 +1369,7 @@ filter {
                                                           merge => { "[related][hash]" => "[zeek][files][sha1]" } } }
   if ([zeek][files][sha256]) {                   mutate { id => "mutate_merge_field_related_hash_files_sha256"
                                                           merge => { "[related][hash]" => "[zeek][files][sha256]" } } }
-  if ([zeek][http][ja4]h) {                      mutate { id => "mutate_merge_field_related_hash_http_ja4h"
+  if ([zeek][http][ja4h]) {                      mutate { id => "mutate_merge_field_related_hash_http_ja4h"
                                                          merge => { "[related][hash]" => "[zeek][http][ja4h]" } } }
   if ([zeek][ssh][hassh]) {                      mutate { id => "mutate_merge_field_related_hash_ssh_hassh"
                                                           merge => { "[related][hash]" => "[zeek][ssh][hassh]" } } }