From bbdb368e3cd44b639ebc9d71aed1a52bf698f2c2 Mon Sep 17 00:00:00 2001
From: h4l0gen <ks3913688@gmail.com>
Date: Fri, 26 Jan 2024 22:22:01 +0530
Subject: [PATCH] Changed format of the 'output' field in the JSON payload

Signed-off-by: h4l0gen <ks3913688@gmail.com>

updated

Signed-off-by: h4l0gen <ks3913688@gmail.com>

build error fixed

Signed-off-by: h4l0gen <ks3913688@gmail.com>
---
 userspace/engine/formats.cpp | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/userspace/engine/formats.cpp b/userspace/engine/formats.cpp
index c6826198bf2..05cf0fc6a8d 100644
--- a/userspace/engine/formats.cpp
+++ b/userspace/engine/formats.cpp
@@ -43,9 +43,6 @@ std::string falco_formats::format_event(sinsp_evt *evt, const std::string &rule,
 
 	formatter = m_falco_engine->create_formatter(source, format);
 
-	// Format the original output string, regardless of output format
-	formatter->tostring_withformat(evt, line, sinsp_evt_formatter::OF_NORMAL);
-
 	if(formatter->get_output_format() == sinsp_evt_formatter::OF_JSON)
 	{
 		std::string json_line;
@@ -89,6 +86,7 @@ std::string falco_formats::format_event(sinsp_evt *evt, const std::string &rule,
 		if(m_json_include_output_property)
 		{
 			// This is the filled-in output line.
+			formatter->tostring_withformat(evt, line, sinsp_evt_formatter::OF_JSON);
 			event["output"] = line;
 		}
 
@@ -127,6 +125,10 @@ std::string falco_formats::format_event(sinsp_evt *evt, const std::string &rule,
 		full_line.append("}");
 		line = full_line;
 	}
+    else
+	{
+		formatter->tostring_withformat(evt, line, sinsp_evt_formatter::OF_NORMAL);
+	}
 
 	return line;
 }