new(outputs): add source and tags to json output

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>

userspace/engine/formats.cpp

@@ -114,7 +114,7 @@ int falco_formats::lua_free_formatter(lua_State *ls)
 }
 
 string falco_formats::format_event(const gen_event *evt, const std::string &rule, const std::string &source,
-				   const std::string &level, const std::string &format)
+				   const std::string &level, const std::string &format, std::set<std::string> &tags)
 {
 
 	string line;
@@ -181,8 +181,10 @@ string falco_formats::format_event(const gen_event *evt, const std::string &rule
 	if(s_json_output)
 	{
 		Json::Value event;
+		Json::Value rule_tags;
 		Json::FastWriter writer;
 		string full_line;
+		unsigned int rule_tags_idx = 0;
 
 		// Convert the time-as-nanoseconds to a more json-friendly ISO8601.
 		time_t evttime = evt->get_ts() / 1000000000;
@@ -197,6 +199,7 @@ string falco_formats::format_event(const gen_event *evt, const std::string &rule
 		event["time"] = iso8601evttime;
 		event["rule"] = rule;
 		event["priority"] = level;
+		event["source"] = source;
 
 		if(s_json_include_output_property)
 		{
@@ -204,6 +207,12 @@ string falco_formats::format_event(const gen_event *evt, const std::string &rule
 			event["output"] = line;
 		}
 		
+		for (auto &tag : tags)
+		{
+			rule_tags[rule_tags_idx++] = tag;
+		}
+		event["tags"] = rule_tags;
+
 		full_line = writer.write(event);
 
 		// Json::FastWriter may add a trailing newline. If it

userspace/engine/formats.h

@@ -46,7 +46,7 @@ public:
 	static int lua_free_formatter(lua_State *ls);
 
 	static string format_event(const gen_event *evt, const std::string &rule, const std::string &source,
-				   const std::string &level, const std::string &format);
+				   const std::string &level, const std::string &format, std::set<std::string> &tags);
 
 	static map<string, string> resolve_tokens(const gen_event *evt, const std::string &source,
 						  const std::string &format);

userspace/falco/falco_outputs.cpp

@@ -142,7 +142,7 @@ void falco_outputs::add_output(falco::outputs::config oc)
 }
 
 void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
-				 falco_common::priority_type priority, string &format, std::set<std::string> tags)
+				 falco_common::priority_type priority, string &format, std::set<std::string> &tags)
 {
 	if(!m_notifications_tb.claim())
 	{
@@ -190,7 +190,7 @@ void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
 		sformat += " " + format;
 	}
 
-	cmsg.msg = falco_formats::format_event(evt, rule, source, falco_common::priority_names[priority], sformat);
+	cmsg.msg = falco_formats::format_event(evt, rule, source, falco_common::priority_names[priority], sformat, tags);
 	cmsg.fields = falco_formats::resolve_tokens(evt, source, sformat);
 	cmsg.tags.insert(tags.begin(), tags.end());
 

userspace/falco/falco_outputs.h

@@ -48,7 +48,7 @@ public:
 
 	// Format then send the event to all configured outputs (`evt` is an event that has matched some rule).
 	void handle_event(gen_event *evt, std::string &rule, std::string &source,
-			  falco_common::priority_type priority, std::string &format, std::set<std::string> tags);
+			  falco_common::priority_type priority, std::string &format, std::set<std::string> &tags);
 
 	// Format then send a generic message to all outputs. Not necessarily associated with any event.
 	void handle_msg(uint64_t now,