From cd1444135b6d1656fef01a3120cf56dd24340879 Mon Sep 17 00:00:00 2001
From: toto <antitbone@jefaismonrhum.sdv.fr>
Date: Fri, 6 Mar 2026 17:42:40 +0100
Subject: [PATCH] fix(correlation): keepalives field not populated in
 ClickHouse (v1.1.17)

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---
 Makefile                          |  2 +-
 internal/domain/correlated_log.go | 13 +++++++++++--
 packaging/rpm/logcorrelator.spec  |  7 +++++++
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 6425577..7f4d972 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,7 @@ BINARY_NAME=logcorrelator
 DIST_DIR=dist
 
 # Package version
-PKG_VERSION ?= 1.1.16
+PKG_VERSION ?= 1.1.17
 
 # Enable BuildKit for better performance
 export DOCKER_BUILDKIT=1
diff --git a/internal/domain/correlated_log.go b/internal/domain/correlated_log.go
index 0a16b56..a54d1cd 100644
--- a/internal/domain/correlated_log.go
+++ b/internal/domain/correlated_log.go
@@ -61,6 +61,10 @@ func (c CorrelatedLog) MarshalJSON() ([]byte, error) {
 
 // NewCorrelatedLogFromEvent creates a correlated log from a single event (orphan).
 func NewCorrelatedLogFromEvent(event *NormalizedEvent, orphanSide string) CorrelatedLog {
+	fields := extractFields(event)
+	if event.KeepAliveSeq > 0 {
+		fields["keepalives"] = event.KeepAliveSeq
+	}
 	return CorrelatedLog{
 		Timestamp:  event.Timestamp,
 		SrcIP:      event.SrcIP,
@@ -69,7 +73,7 @@ func NewCorrelatedLogFromEvent(event *NormalizedEvent, orphanSide string) Correl
 		DstPort:    event.DstPort,
 		Correlated: false,
 		OrphanSide: orphanSide,
-		Fields:     extractFields(event),
+		Fields:     fields,
 	}
 }
 
@@ -80,6 +84,11 @@ func NewCorrelatedLog(apacheEvent, networkEvent *NormalizedEvent) CorrelatedLog
 		ts = networkEvent.Timestamp
 	}
 
+	fields := mergeFields(apacheEvent, networkEvent)
+	if apacheEvent.KeepAliveSeq > 0 {
+		fields["keepalives"] = apacheEvent.KeepAliveSeq
+	}
+
 	return CorrelatedLog{
 		Timestamp:  ts,
 		SrcIP:      apacheEvent.SrcIP,
@@ -88,7 +97,7 @@ func NewCorrelatedLog(apacheEvent, networkEvent *NormalizedEvent) CorrelatedLog
 		DstPort:    coalesceInt(apacheEvent.DstPort, networkEvent.DstPort),
 		Correlated: true,
 		OrphanSide: "",
-		Fields:     mergeFields(apacheEvent, networkEvent),
+		Fields:     fields,
 	}
 }
 
diff --git a/packaging/rpm/logcorrelator.spec b/packaging/rpm/logcorrelator.spec
index 573ce9b..4bb632d 100644
--- a/packaging/rpm/logcorrelator.spec
+++ b/packaging/rpm/logcorrelator.spec
@@ -145,6 +145,13 @@ exit 0
 %config(noreplace) /etc/logrotate.d/logcorrelator
 
 %changelog
+* Fri Mar 06 2026 logcorrelator <dev@example.com> - 1.1.17-1
+- Fix(correlation): champ keepalives non peuple dans ClickHouse
+  Le champ KeepAliveSeq de NormalizedEvent n'etait pas transfere dans les Fields
+  de CorrelatedLog. La vue materialisee ClickHouse extrayait keepalives du JSON
+  mais trouvait toujours 0. Desormais, NewCorrelatedLog et NewCorrelatedLogFromEvent
+  ajoutent explicitement keepalives = KeepAliveSeq dans les Fields.
+
 * Fri Mar 06 2026 logcorrelator <dev@example.com> - 1.1.16-1
 - Feat(correlation): emettre les evenements A filtrés par include_dest_ports vers ClickHouse
   Quand un evenement A (HTTP) etait exclu par le filtre include_dest_ports, il etait