Suricata

Suricata-verify can check for the existence or absence of JSON keys.
However, starting from the second level, it won't accept duplicate keys, and will only
process the last seen key for a given filter.

The goal of this task is to allow that has-key and not-has-key accept arrays, to fix that and offer more flexibility.

Examples:
It correctly handles:

- filter:
    count: 1
    match:
      dest_ip: 192.168.1.74
      dest_port: 5432
      event_type: pgsql
      pcap_cnt: 12
      pgsql.response.message: authentication_ok
      not-has-key: pgsql.request.password

or

  - filter:
      count: 1
      match:
        event_type: alert
        not-has-key: flow
        not-has-key: http
        not-has-key: alert.metadata
        not-has-key: alert.rule

But will only correctly process the second not-has-key with the duplicate key, here:

- filter:
    count: 1
    match:
      dest_ip: 192.168.1.74
      dest_port: 5432
      event_type: pgsql
      pcap_cnt: 12
      pgsql.response.message: authentication_ok
      not-has-key: pgsql.request.password
      not-has-key: pgsql.request

Currently, the above can only be tested/ checked using two different filters.