fix(correlation): keepalives field not populated in ClickHouse (v1.1.17)

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

internal/domain/correlated_log.go

@@ -61,6 +61,10 @@ func (c CorrelatedLog) MarshalJSON() ([]byte, error) {
 
 // NewCorrelatedLogFromEvent creates a correlated log from a single event (orphan).
 func NewCorrelatedLogFromEvent(event *NormalizedEvent, orphanSide string) CorrelatedLog {
+	fields := extractFields(event)
+	if event.KeepAliveSeq > 0 {
+		fields["keepalives"] = event.KeepAliveSeq
+	}
 	return CorrelatedLog{
 		Timestamp:  event.Timestamp,
 		SrcIP:      event.SrcIP,
@@ -69,7 +73,7 @@ func NewCorrelatedLogFromEvent(event *NormalizedEvent, orphanSide string) Correl
 		DstPort:    event.DstPort,
 		Correlated: false,
 		OrphanSide: orphanSide,
-		Fields:     extractFields(event),
+		Fields:     fields,
 	}
 }
 
@@ -80,6 +84,11 @@ func NewCorrelatedLog(apacheEvent, networkEvent *NormalizedEvent) CorrelatedLog
 		ts = networkEvent.Timestamp
 	}
 
+	fields := mergeFields(apacheEvent, networkEvent)
+	if apacheEvent.KeepAliveSeq > 0 {
+		fields["keepalives"] = apacheEvent.KeepAliveSeq
+	}
+
 	return CorrelatedLog{
 		Timestamp:  ts,
 		SrcIP:      apacheEvent.SrcIP,
@@ -88,7 +97,7 @@ func NewCorrelatedLog(apacheEvent, networkEvent *NormalizedEvent) CorrelatedLog
 		DstPort:    coalesceInt(apacheEvent.DstPort, networkEvent.DstPort),
 		Correlated: true,
 		OrphanSide: "",
-		Fields:     mergeFields(apacheEvent, networkEvent),
+		Fields:     fields,
 	}
 }