From 1d4b8d62f5e4bb0caff3973bdb3b2c52b87d5b60 Mon Sep 17 00:00:00 2001
From: Sebastian Spaink <3441183+sspaink@users.noreply.github.com>
Date: Mon, 14 Jun 2021 10:07:36 -0500
Subject: [PATCH] Support new Suricata JSON format which includes arrays and
 strings (#9338)

---
 plugins/inputs/suricata/suricata.go         |  9 +++++
 plugins/inputs/suricata/suricata_test.go    | 38 +++++++++++++++++++++
 plugins/inputs/suricata/testdata/test2.json | 21 ++++++++++++
 3 files changed, 68 insertions(+)
 create mode 100644 plugins/inputs/suricata/testdata/test2.json

diff --git a/plugins/inputs/suricata/suricata.go b/plugins/inputs/suricata/suricata.go
index 631c6af0a..8fd48b5cf 100644
--- a/plugins/inputs/suricata/suricata.go
+++ b/plugins/inputs/suricata/suricata.go
@@ -148,6 +148,15 @@ func flexFlatten(outmap map[string]interface{}, field string, v interface{}, del
 				return err
 			}
 		}
+	case []interface{}:
+		for _, v := range t {
+			err := flexFlatten(outmap, field, v, delimiter)
+			if err != nil {
+				return err
+			}
+		}
+	case string:
+		outmap[field] = v
 	case float64:
 		outmap[field] = v.(float64)
 	default:
diff --git a/plugins/inputs/suricata/suricata_test.go b/plugins/inputs/suricata/suricata_test.go
index f3204f29e..ab03de057 100644
--- a/plugins/inputs/suricata/suricata_test.go
+++ b/plugins/inputs/suricata/suricata_test.go
@@ -296,3 +296,41 @@ func TestSuricataStartStop(t *testing.T) {
 	require.NoError(t, s.Start(&acc))
 	s.Stop()
 }
+
+func TestSuricataParse(t *testing.T) {
+	tests := []struct {
+		filename string
+		expected []telegraf.Metric
+	}{{
+		filename: "test2.json",
+		expected: []telegraf.Metric{
+			testutil.MustMetric(
+				"suricata",
+				map[string]string{
+					"thread": "W#01-ens2f1",
+				},
+				map[string]interface{}{
+					"detect_alert":                float64(0),
+					"detect_engines_id":           float64(0),
+					"detect_engines_last_reload":  "2021-06-08T06:33:05.084872+0000",
+					"detect_engines_rules_failed": float64(0),
+					"detect_engines_rules_loaded": float64(22712),
+				},
+				time.Unix(0, 0),
+			),
+		},
+	},
+	}
+
+	for _, tc := range tests {
+		data, err := ioutil.ReadFile("testdata/" + tc.filename)
+		require.NoError(t, err)
+		s := Suricata{
+			Delimiter: "_",
+		}
+		acc := testutil.Accumulator{}
+		s.parse(&acc, data)
+
+		testutil.RequireMetricsEqual(t, tc.expected, acc.GetTelegrafMetrics(), testutil.IgnoreTime())
+	}
+}
diff --git a/plugins/inputs/suricata/testdata/test2.json b/plugins/inputs/suricata/testdata/test2.json
new file mode 100644
index 000000000..edb7d245d
--- /dev/null
+++ b/plugins/inputs/suricata/testdata/test2.json
@@ -0,0 +1,21 @@
+{
+    "timestamp": "2021-06-08T06:34:49.237367+0000",
+    "event_type": "stats",
+    "stats": {
+        "threads": {
+            "W#01-ens2f1": {
+                "detect": {
+                    "engines": [
+                        {
+                            "id": 0,
+                            "last_reload": "2021-06-08T06:33:05.084872+0000",
+                            "rules_loaded": 22712,
+                            "rules_failed": 0
+                        }
+                    ],
+                    "alert": 0
+                }
+            }
+        }
+    }
+}