Merge pull request #1390 from Yamato-Security/1386-bug-jsonl-output-d…

…oesnt-always-contain-a-json-object-in-the-details-key

fix(afterfact): modified output format from "-" str to empty Dict in …

CHANGELOG-Japanese.md

@@ -13,6 +13,7 @@
   - 前: `"Data": ["17514", "Multiprocessor Free", "Service Pack 1"]`
   - 後: `"Data[3]": "17514", "Data[4]": "Multiprocessor Free", "Data[5]": "Service Pack 1"`
 - 集計ルールのアラートに、複数の結果がある場合でも`Channel`と`EventID`の情報が表示されるようにした。 (#1342) (@fukusuket)
+- JSONタイムラインで`Details`フィールドに情報がない場合、JSONがパースしやすくなるように、デフォルトで出力される`"-"`を`{}`に変更した。(#1386) (@hitenkoku)
 - シグネチャーバイパスを防ぐため、`-` (エンダッシュ)、`-` (エムダッシュ)、`―` (水平バー) 文字を `windash` 修飾子でサポートするようにした。(#1392) (@hitenkoku)
 
 **バグ修正:**

CHANGELOG.md

@@ -13,6 +13,7 @@
   - Before: `"Data": ["17514", "Multiprocessor Free", "Service Pack 1"]`
   - After: `"Data[3]": "17514", "Data[4]": "Multiprocessor Free", "Data[5]": "Service Pack 1"`
 - Aggregation rule alerts now show `Channel` and `EventID` information even when there are multiple results. (#1342) (@fukusuket)
+- In the JSON timeline, when there is no information in the `Details` field, we changed the default output of `"-"` to `{}` in order to make parsing easier. (#1386) (@hitenkoku)
 - Added support for the `–` (en dash), `—` (em dash), and `―` (horizontal bar) characters for the `windash` modifier to prevent signature bypass. (#1392) (@hitenkoku)
 
 **Bug Fixes:**

src/afterfact.rs

@@ -1860,6 +1860,10 @@ pub fn output_json_str(
             ))
             && vec_data.is_empty()
         {
+            if matches!(profile, Profile::Details(_)) && val == "-" {
+                target.push(format!("{}\"{}\": {{}}", " ".repeat(4), key));
+                continue;
+            }
             let tmp_val: Vec<&str> = val.split(": ").collect();
             let output_val =
                 _convert_valid_json_str(&tmp_val, matches!(profile, Profile::AllFieldInfo(_)));
@@ -1907,14 +1911,8 @@ pub fn output_json_str(
                         HashMap::new();
                     let mut children_output_order = vec![];
                     if detect_info.agg_result.is_some() {
-                        if details_target_stock[0] == "-" {
-                            output_stock.push(_create_json_output_format(
-                                key,
-                                details_target_stock[0].as_str(),
-                                key.starts_with('\"'),
-                                details_target_stock[0].starts_with('\"'),
-                                4,
-                            ));
+                        if details_target_stock.is_empty() || details_target_stock[0] == "-" {
+                            output_stock.push(format!("{}\"{}\": {{}}", " ".repeat(4), key));
                             if jsonl_output_flag {
                                 target.push(output_stock.join(""));
                             } else {
@@ -1931,6 +1929,14 @@ pub fn output_json_str(
                             &mut children_output_stock,
                             &mut children_output_order,
                         );
+                    } else if details_target_stock.is_empty() {
+                        output_stock.push(format!("{}\"{}\": {{}}", " ".repeat(4), key));
+                        if jsonl_output_flag {
+                            target.push(output_stock.join(""));
+                        } else {
+                            target.push(output_stock.join("\n"));
+                        }
+                        continue;
                     } else {
                         process_target_stock(
                             details_target_stock,