Suricata

eve-log is able to add a parameter "gaps" for files where suricata saw a reassembly gap. Unfortunately, this flag is set by RUST parsers only.
This optimization involves being able to show this flag also for http/smtp.

To accomplish this result, we need to act on two sides:
1) use the "direction" parameter in StateTruncate handler. This parameter is actually a series of STREAM_* flags. One of the flags set by stream-tcp-reassemble is STREAM_GAP.
2) Add the parameter "flags" to FileTruncateAllOpenFiles function in util-file. "direction" variable will be passed as "flags". If the flag STREAM_GAP is present, we will set the related FILE_HAS_GAPS flag in the flags array of the File * pointer.

There is a caveat. setting the flag FILE_HAS_GAPS will cause the state to be updated to FILE_STATE_TRUNCATED (cfr. util-file.c:FileCloseFilePtr). Ths will cause the file logging to be performed even if the detection has not terminated yet (ex. when gaps happen before the minimal inspect size for buffer is reached). To force the detection phase, we prevent the state update to FILE_STATE_TRUNCATED. It must be noticed that the file->state will be updated anyway inside the logging module (cfr. output-file.c:OutputFileLog and output-filedata.c:OutputFiledataLog).

If anybody has a better idea in how to do it, please shout!