From cbda276aebf4657fed709368028d6b21acf5c4e7 Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Tue, 1 Oct 2024 09:19:25 -0400
Subject: [PATCH] output: Log ethernet type

Issue 7129

When configured with the existing "ethernet" switch, include the ether
type in the output.

This is most useful with anomaly records indicating unknown ethertypes.
---
 etc/schema.json   | 4 ++++
 src/output-json.c | 1 +
 2 files changed, 5 insertions(+)

diff --git a/etc/schema.json b/etc/schema.json
index d14ddbcf6722..3a877aabb96e 100644
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -1744,6 +1744,10 @@
                 "src_mac": {
                     "type": "string"
                 },
+                "ether_type": {
+                    "type": "integer",
+                    "description": "Ethernet type value "
+                },
                 "dest_macs": {
                     "type": "array",
                     "minItems": 1,
diff --git a/src/output-json.c b/src/output-json.c
index 2880a25d87f9..0109a1c5ee56 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -734,6 +734,7 @@ static int CreateJSONEther(
         if (PacketIsEthernet(p)) {
             const EthernetHdr *ethh = PacketGetEthernet(p);
             jb_open_object(js, "ether");
+            jb_set_uint(js, "ether_type", ethh->eth_type);
             const uint8_t *src;
             const uint8_t *dst;
             switch (dir) {