From a9ca6cf84833ed0aae361390564e0fff123a358e Mon Sep 17 00:00:00 2001
From: DustInDark <2350416+hitenkoku@users.noreply.github.com>
Date: Sat, 3 Feb 2024 20:38:51 +0900
Subject: [PATCH] feat(afterfact, message): modified JSON output from
 alphabetical order to original order in rule #1264

---
 src/afterfact.rs          | 17 +++++++++++++++--
 src/detections/message.rs | 13 ++++++-------
 2 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/src/afterfact.rs b/src/afterfact.rs
index 6d0be07a9..7f462d9a8 100644
--- a/src/afterfact.rs
+++ b/src/afterfact.rs
@@ -16,6 +16,7 @@ use chrono::{DateTime, Local, TimeZone, Utc};
 use comfy_table::modifiers::UTF8_ROUND_CORNERS;
 use comfy_table::presets::UTF8_FULL;
 use compact_str::CompactString;
+use hashbrown::hash_map::RawEntryMut;
 use terminal_size::terminal_size;
 
 use csv::{QuoteStyle, WriterBuilder};
@@ -1633,20 +1634,32 @@ pub fn output_json_str(
                     };
                     let mut children_output_stock: HashMap<CompactString, Vec<CompactString>> =
                         HashMap::new();
+                    let mut children_output_order = vec![];
                     for contents in details_target_stock.iter() {
                         let (key, value) = contents.split_once(':').unwrap_or_default();
                         let output_key = _convert_valid_json_str(&[key], false);
                         let fmted_val = _convert_valid_json_str(&[value.trim_start()], false);
+                        if let RawEntryMut::Vacant(_) = children_output_stock
+                            .raw_entry_mut()
+                            .from_key(output_key.as_str())
+                        {
+                            children_output_order.push(output_key.clone());
+                        }
                         children_output_stock
                             .entry(output_key.into())
                             .or_insert(vec![])
                             .push(fmted_val.into());
                     }
+                    // ルール内での表示順に合わせた表示順を戻した配列
                     let mut sorted_children_output_stock: Vec<(
                         &CompactString,
                         &Vec<CompactString>,
                     )> = children_output_stock.iter().collect_vec();
-                    sorted_children_output_stock.sort_by(|a, b| a.0.cmp(b.0));
+                    for (k, v) in children_output_stock.iter() {
+                        let index_in_rule =
+                            children_output_order.iter().position(|x| x == k).unwrap();
+                        sorted_children_output_stock[index_in_rule] = (k, v);
+                    }
                     for (idx, (c_key, c_val)) in sorted_children_output_stock.iter().enumerate() {
                         let fmted_c_val = if c_val.len() == 1 {
                             c_val[0].to_string()
@@ -1656,7 +1669,7 @@ pub fn output_json_str(
                                 c_val.iter().map(|x| { format!("\"{x}\"") }).join(", ")
                             )
                         };
-                        if idx != sorted_children_output_stock.len() - 1 {
+                        if idx != children_output_stock.len() - 1 {
                             output_stock.push(format!(
                                 "{},",
                                 _create_json_output_format(
diff --git a/src/detections/message.rs b/src/detections/message.rs
index 65bb7f6b2..40bab12f9 100644
--- a/src/detections/message.rs
+++ b/src/detections/message.rs
@@ -287,7 +287,7 @@ pub fn parse_message(
     field_data_map: &Option<FieldDataMap>,
 ) -> (CompactString, Vec<CompactString>) {
     let mut return_message = output.clone();
-    let mut hash_map: HashMap<CompactString, Vec<CompactString>> = HashMap::new();
+    let mut hash_map: Vec<(CompactString, Vec<CompactString>)> = vec![];
     let details_key: Vec<&str> = output.split(" ¦ ").collect();
     for caps in ALIASREGEX.captures_iter(&return_message) {
         let full_target_str = &caps[0];
@@ -337,19 +337,19 @@ pub fn parse_message(
                     converted_str.unwrap_or(hash_value)
                 };
                 if json_timeline_flag {
-                    hash_map.insert(CompactString::from(full_target_str), [field_data].to_vec());
+                    hash_map.push((CompactString::from(full_target_str), [field_data].to_vec()));
                 } else {
-                    hash_map.insert(
+                    hash_map.push((
                         CompactString::from(full_target_str),
                         [field_data.split_ascii_whitespace().join(" ").into()].to_vec(),
-                    );
+                    ));
                 }
             }
         } else {
-            hash_map.insert(
+            hash_map.push((
                 CompactString::from(full_target_str),
                 ["n/a".into()].to_vec(),
-            );
+            ));
         }
     }
     let mut details_key_and_value: Vec<CompactString> = vec![];
@@ -366,7 +366,6 @@ pub fn parse_message(
             }
         }
     }
-    details_key_and_value.sort_unstable();
     (return_message, details_key_and_value)
 }