Suricata

When enabling the field subjectaltname in custom logging, the JSON schema validator complains that the issuerdn key
is duplicated:

tls-eve-custom-fields/output/eve.json: duplicate key error: key=issuerdn, current value=C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS, new value=C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS

(output from modified version of SV test using ja4-tls test's pcap)

Relevant YAML config:

outputs:¬
  - eve-log:¬
      enabled: yes¬
      types:¬
        - tls:¬
            extended: yes     # enable this for extended logging information¬
            custom: [subject, issuer, subjectaltname]¬

TLS event (stripped of non-tls fields for readability):

{
  "event_type":"tls",
  "pkt_src":"wire/pcap",
  "tls":{
     "subject":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS",
     "issuerdn":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS",
     "issuerdn":"C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS" 
  }
}

Investigation indicates that when logging the subject alternative name in custom logging, we were actually calling the issuerdn logging function.