From 5f43e15a4fcc9f63098034e7210f9360100b887e Mon Sep 17 00:00:00 2001
From: Dan Kortschak <dan.kortschak@elastic.co>
Date: Tue, 28 Sep 2021 11:10:52 +0930
Subject: [PATCH] Use field set operation for source and destination IP

Updates elastic/beats#26504
---
 fields-merge.csv                  | 2 --
 output/javascript/liblogparser.js | 8 ++++----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/fields-merge.csv b/fields-merge.csv
index eb8108c..bdb77b5 100644
--- a/fields-merge.csv
+++ b/fields-merge.csv
@@ -4,8 +4,6 @@ event.code,by_prio,id,messageid
 rsa.misc.action,append
 rsa.network.alias_host,append
 host.name,by_prio,hostname,host
-destination.ip,append
-source.ip,append
 related.user,append
 related.hosts,append
 event.action,by_prio,action,event_type
diff --git a/output/javascript/liblogparser.js b/output/javascript/liblogparser.js
index cec99a0..935bed3 100644
--- a/output/javascript/liblogparser.js
+++ b/output/javascript/liblogparser.js
@@ -1007,8 +1007,8 @@ var ecs_mappings = {
     "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
     "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
     "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
-    "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
-    "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+    "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+    "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
     "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
     "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
     "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
@@ -1088,8 +1088,8 @@ var ecs_mappings = {
     "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
     "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
     "rulename": {to:[{field: "rule.name", setter: fld_set}]},
-    "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
-    "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
+    "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
+    "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]},
     "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
     "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
     "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},