omerbenamram · omerbenamram · Jul 3, 2024 · Jun 9, 2024 · Jun 24, 2024 · Jun 30, 2024
diff --git a/Cargo.toml b/Cargo.toml
@@ -34,7 +34,7 @@ dialoguer = { version = "0.11", optional = true }
 indoc = { version = "2", optional = true }
 
 serde = "1"
-serde_json = "1"
+serde_json = { version = "1", features = ["preserve_order"]}
 
 [target.'cfg(not(windows))'.dependencies]
 # jemalloc is significantly more peformant than the system allocator.

diff --git a/src/json_output.rs b/src/json_output.rs
@@ -536,10 +536,10 @@ mod tests {
         let s2 = r#"
 {
   "HTTPResponseHeadersInfo": {
-    "Header": "HTTP/1.1 200 OK",
     "Header_attributes": {
       "attribute1": "NoProxy"
-    }
+    },
+    "Header": "HTTP/1.1 200 OK"
   }
 }
 "#

diff --git a/tests/snapshots/test_record_samples__event_json_missing_string_cache_entry.snap b/tests/snapshots/test_record_samples__event_json_missing_string_cache_entry.snap
@@ -3,34 +3,34 @@ source: tests/test_record_samples.rs
 expression: "&value"
 ---
 {
+  "Event_attributes": {
+    "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+  },
   "Event": {
-    "EventData": null,
     "System": {
-      "Channel": "Security",
-      "Computer": "37L4247F27-25",
-      "Correlation": null,
-      "EventID": 4608,
-      "EventRecordID": 1,
-      "Execution_attributes": {
-        "ProcessID": 456,
-        "ThreadID": 460
-      },
-      "Keywords": "0x8020000000000000",
-      "Level": 0,
-      "Opcode": 0,
       "Provider_attributes": {
-        "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
-        "Name": "Microsoft-Windows-Security-Auditing"
+        "Name": "Microsoft-Windows-Security-Auditing",
+        "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D"
       },
-      "Security": null,
+      "EventID": 4608,
+      "Version": 0,
+      "Level": 0,
       "Task": 12288,
+      "Opcode": 0,
+      "Keywords": "0x8020000000000000",
       "TimeCreated_attributes": {
         "SystemTime": "2016-07-08T18:12:51.681640Z"
       },
-      "Version": 0
-    }
-  },
-  "Event_attributes": {
-    "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+      "EventRecordID": 1,
+      "Correlation": null,
+      "Execution_attributes": {
+        "ProcessID": 456,
+        "ThreadID": 460
+      },
+      "Channel": "Security",
+      "Computer": "37L4247F27-25",
+      "Security": null
+    },
+    "EventData": null
   }
 }
diff --git a/tests/snapshots/test_record_samples__event_json_multiple_empty_data_nodes_not_ignored.snap b/tests/snapshots/test_record_samples__event_json_multiple_empty_data_nodes_not_ignored.snap
@@ -1,34 +1,33 @@
 ---
 source: tests/test_record_samples.rs
 expression: "&value"
-
 ---
 {
+  "Event_attributes": {
+    "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+  },
   "Event": {
-    "EventData": {
-      "Data": "Set-Mailbox-Identity \"Administrateur\" -DeliverToMailboxAndForward \"False\" -ForwardingSmtpAddress \"smtp:test2@example.com\"ave.local/Users/AdministrateurS-1-5-21-186559946-3925841745-111227986-500S-1-5-21-186559946-3925841745-111227986-500Remote-ManagementShell-Unknown5668 w3wp#MSExchangePowerShellAppPool500:00:26.0389557Afficher la forêt entière : 'False', Portée par défaut : « ave.local », Configuration du contrôleur de domaine : « DC.ave.local », Catalogue global préféré : « DC.ave.local », Contrôleurs de domaine préférés : « { DC.ave.local } »False0 objects execution has been proxied to remote server.0ActivityId: a3591746-a27b-447a-b8be-ff54ae3a46f1ServicePlan:;IsAdmin:True;fr-FR"
-    },
     "System": {
-      "Channel": "MSExchange Management",
-      "Computer": "WEC.ave.local",
-      "EventID": "1",
+      "Provider_attributes": {
+        "Name": "MSExchange CmdletLogs"
+      },
       "EventID_attributes": {
         "Qualifiers": "16384"
       },
-      "EventRecordID": "3229",
-      "Keywords": "0x80000000000000",
+      "EventID": "1",
       "Level": "4",
-      "Provider_attributes": {
-        "Name": "MSExchange CmdletLogs"
-      },
-      "Security": null,
       "Task": "1",
+      "Keywords": "0x80000000000000",
       "TimeCreated_attributes": {
         "SystemTime": "2021-11-19T16:52:33.833733500Z"
-      }
+      },
+      "EventRecordID": "3229",
+      "Channel": "MSExchange Management",
+      "Computer": "WEC.ave.local",
+      "Security": null
+    },
+    "EventData": {
+      "Data": "Set-Mailbox-Identity \"Administrateur\" -DeliverToMailboxAndForward \"False\" -ForwardingSmtpAddress \"smtp:test2@example.com\"ave.local/Users/AdministrateurS-1-5-21-186559946-3925841745-111227986-500S-1-5-21-186559946-3925841745-111227986-500Remote-ManagementShell-Unknown5668 w3wp#MSExchangePowerShellAppPool500:00:26.0389557Afficher la forêt entière : 'False', Portée par défaut : « ave.local », Configuration du contrôleur de domaine : « DC.ave.local », Catalogue global préféré : « DC.ave.local », Contrôleurs de domaine préférés : « { DC.ave.local } »False0 objects execution has been proxied to remote server.0ActivityId: a3591746-a27b-447a-b8be-ff54ae3a46f1ServicePlan:;IsAdmin:True;fr-FR"
     }
-  },
-  "Event_attributes": {
-    "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
   }
 }
diff --git a/tests/snapshots/test_record_samples__event_json_sample.snap b/tests/snapshots/test_record_samples__event_json_sample.snap
@@ -1,43 +1,42 @@
 ---
 source: tests/test_record_samples.rs
 expression: "&value"
-
 ---
 {
   "Event": {
     "#attributes": {
       "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
     },
-    "EventData": null,
     "System": {
-      "Channel": "Security",
-      "Computer": "37L4247F27-25",
-      "Correlation": null,
-      "EventID": 4608,
-      "EventRecordID": 1,
-      "Execution": {
+      "Provider": {
         "#attributes": {
-          "ProcessID": 456,
-          "ThreadID": 460
+          "Name": "Microsoft-Windows-Security-Auditing",
+          "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D"
         }
       },
-      "Keywords": "0x8020000000000000",
+      "EventID": 4608,
+      "Version": 0,
       "Level": 0,
+      "Task": 12288,
       "Opcode": 0,
-      "Provider": {
+      "Keywords": "0x8020000000000000",
+      "TimeCreated": {
         "#attributes": {
-          "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
-          "Name": "Microsoft-Windows-Security-Auditing"
+          "SystemTime": "2016-07-08T18:12:51.681640Z"
         }
       },
-      "Security": null,
-      "Task": 12288,
-      "TimeCreated": {
+      "EventRecordID": 1,
+      "Correlation": null,
+      "Execution": {
         "#attributes": {
-          "SystemTime": "2016-07-08T18:12:51.681640Z"
+          "ProcessID": 456,
+          "ThreadID": 460
         }
       },
-      "Version": 0
-    }
+      "Channel": "Security",
+      "Computer": "37L4247F27-25",
+      "Security": null
+    },
+    "EventData": null
   }
 }
diff --git a/tests/snapshots/test_record_samples__event_json_sample_with_event_data.snap b/tests/snapshots/test_record_samples__event_json_sample_with_event_data.snap
@@ -1,59 +1,58 @@
 ---
 source: tests/test_record_samples.rs
 expression: "&value"
-
 ---
 {
   "Event": {
     "#attributes": {
       "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
     },
-    "EventData": {
-      "CommandLine": "",
-      "MandatoryLabel": "S-1-16-16384",
-      "NewProcessId": "0x58",
-      "NewProcessName": "Registry",
-      "ParentProcessName": "",
-      "ProcessId": "0x4",
-      "SubjectDomainName": "-",
-      "SubjectLogonId": "0x3e7",
-      "SubjectUserName": "-",
-      "SubjectUserSid": "S-1-5-18",
-      "TargetDomainName": "-",
-      "TargetLogonId": "0x0",
-      "TargetUserName": "-",
-      "TargetUserSid": "S-1-0-0",
-      "TokenElevationType": "%%1936"
-    },
     "System": {
-      "Channel": "Security",
-      "Computer": "WIN-LL0C19JS506",
-      "Correlation": null,
-      "EventID": 4688,
-      "EventRecordID": 1,
-      "Execution": {
+      "Provider": {
         "#attributes": {
-          "ProcessID": 4,
-          "ThreadID": 32
+          "Name": "Microsoft-Windows-Security-Auditing",
+          "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D"
         }
       },
-      "Keywords": "0x8020000000000000",
+      "EventID": 4688,
+      "Version": 2,
       "Level": 0,
+      "Task": 13312,
       "Opcode": 0,
-      "Provider": {
+      "Keywords": "0x8020000000000000",
+      "TimeCreated": {
         "#attributes": {
-          "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
-          "Name": "Microsoft-Windows-Security-Auditing"
+          "SystemTime": "2018-07-28T07:24:45.754787Z"
         }
       },
-      "Security": null,
-      "Task": 13312,
-      "TimeCreated": {
+      "EventRecordID": 1,
+      "Correlation": null,
+      "Execution": {
         "#attributes": {
-          "SystemTime": "2018-07-28T07:24:45.754787Z"
+          "ProcessID": 4,
+          "ThreadID": 32
         }
       },
-      "Version": 2
+      "Channel": "Security",
+      "Computer": "WIN-LL0C19JS506",
+      "Security": null
+    },
+    "EventData": {
+      "SubjectUserSid": "S-1-5-18",
+      "SubjectUserName": "-",
+      "SubjectDomainName": "-",
+      "SubjectLogonId": "0x3e7",
+      "NewProcessId": "0x58",
+      "NewProcessName": "Registry",
+      "TokenElevationType": "%%1936",
+      "ProcessId": "0x4",
+      "CommandLine": "",
+      "TargetUserSid": "S-1-0-0",
+      "TargetUserName": "-",
+      "TargetDomainName": "-",
+      "TargetLogonId": "0x0",
+      "ParentProcessName": "",
+      "MandatoryLabel": "S-1-16-16384"
     }
   }
 }
diff --git a/...hots/test_record_samples__event_json_sample_with_event_data_with_attributes_and_text.snap b/...hots/test_record_samples__event_json_sample_with_event_data_with_attributes_and_text.snap
@@ -1,49 +1,48 @@
 ---
 source: tests/test_record_samples.rs
-assertion_line: 92
 expression: "&value"
 ---
 {
   "Event": {
     "#attributes": {
       "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
     },
-    "EventData": {
-      "Binary": null,
-      "Data": {
-        "#text": [
-          "10.00.",
-          "15063",
-          "",
-          "Multiprocessor Free",
-          "0"
-        ]
-      }
-    },
     "System": {
-      "Channel": "System",
-      "Computer": "WIN-P4SIAA0SQCO",
+      "Provider": {
+        "#attributes": {
+          "Name": "EventLog"
+        }
+      },
       "EventID": {
         "#attributes": {
           "Qualifiers": 32768
         },
         "#text": 6009
       },
-      "EventRecordID": 1,
-      "Keywords": "0x80000000000000",
       "Level": 4,
-      "Provider": {
-        "#attributes": {
-          "Name": "EventLog"
-        }
-      },
-      "Security": null,
       "Task": 0,
+      "Keywords": "0x80000000000000",
       "TimeCreated": {
         "#attributes": {
           "SystemTime": "2017-07-12T17:16:28.214161Z"
         }
-      }
+      },
+      "EventRecordID": 1,
+      "Channel": "System",
+      "Computer": "WIN-P4SIAA0SQCO",
+      "Security": null
+    },
+    "EventData": {
+      "Data": {
+        "#text": [
+          "10.00.",
+          "15063",
+          "",
+          "Multiprocessor Free",
+          "0"
+        ]
+      },
+      "Binary": null
     }
   }
 }