Suricata

This might be a regression of https://redmine.openinfosecfoundation.org/issues/5223

I was working on a base64_decode signature, and I'm having a hard time to get it firing. I've long forgotten where this ticket landed specific to what happens to the buffer when a non base64 character is hit. I was thinking it'd still populate the base64_data buffer with what could be decoded, but that doesn't seem to be the case.

reference: https://redmine.openinfosecfoundation.org/issues/5223
example: https://app.any.run/tasks/f785af40-6c70-43db-94cf-a67f9484301d/#
pcap attached:

In current my use case the string is API=Y21Wd2IzSjBaVzFoYVd4bWNtRjFaRUJoZEc4dVoyOTJMbUYxOmpqcHh4b3Rhb2w%3D

I was hoping that I could call the base64_decode, and it would populate base64_data with everything that can be decoded up to hitting that %.

A rule that doesn't hit with 6.0.9 or 7.0.0-beta1, but does hit in 6.0.6.
http.request_body; content:"API="; startswith; base64_decode:offset 0, relative; base64_data; content:"Ym9zLml";

If I add the url_decode transform it works great, but that transform is not available in all the engines.

I'm hoping to just get an understanding of what the expected behavior is, that will help determine if this is an issue, or just a difference in expectation