From 65e12fa62a3031cbc27fe7af08608b0edcb20408 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 11 May 2023 11:21:11 +0200
Subject: [PATCH 1/3] ftp: improves check for alert app-layer data

---
 tests/ftp/ftp-too-long-command/test.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tests/ftp/ftp-too-long-command/test.yaml b/tests/ftp/ftp-too-long-command/test.yaml
index 3336d8883..4ce3111b0 100644
--- a/tests/ftp/ftp-too-long-command/test.yaml
+++ b/tests/ftp/ftp-too-long-command/test.yaml
@@ -34,3 +34,11 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 2232000
+  # Alert has app-layer details.
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2232000
+        ftp.command: "RETR"

From f595b1a08613d0531e1293089253637e51ada5e5 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 11 May 2023 11:21:32 +0200
Subject: [PATCH 2/3] tftp: improves check for alert app-layer data

---
 tests/output-eve-tftp-01/test.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tests/output-eve-tftp-01/test.yaml b/tests/output-eve-tftp-01/test.yaml
index b83cefc3e..814c80d54 100644
--- a/tests/output-eve-tftp-01/test.yaml
+++ b/tests/output-eve-tftp-01/test.yaml
@@ -15,3 +15,9 @@ checks:
     count: 1
     match:
       event_type: alert
+- filter:
+    min-version: 8
+    count: 1
+    match:
+      event_type: alert
+      tftp.packet: "read"

From 4387a092d03a96f4f35d614b22f1e9ef72239d3f Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Fri, 12 May 2023 12:28:05 +0200
Subject: [PATCH 3/3] krb5: improves check for alert app-layer data

---
 tests/krb5-kerberoasting/test.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tests/krb5-kerberoasting/test.yaml b/tests/krb5-kerberoasting/test.yaml
index bd5ba8a3f..b7f1284a7 100644
--- a/tests/krb5-kerberoasting/test.yaml
+++ b/tests/krb5-kerberoasting/test.yaml
@@ -21,6 +21,13 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 1
+  - filter:
+      min-version: 8
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        krb5.msg_type: KRB_TGS_REP
   - filter:
       count: 1
       match: