2 files changed, 17 insertions, 1 deletions

diff --git a/output/ulogd_output_JSON.c b/output/ulogd_output_JSON.c
index 3ad2620..36a4d49 100644
--- a/output/ulogd_output_JSON.c
+++ b/output/ulogd_output_JSON.c
@@ -46,6 +46,7 @@ enum json_conf {
 	JSON_CONF_FILENAME = 0,
 	JSON_CONF_SYNC,
 	JSON_CONF_TIMESTAMP,
+	JSON_CONF_EVENTV1,
 	JSON_CONF_DEVICE,
 	JSON_CONF_BOOLEAN_LABEL,
 	JSON_CONF_MAX
@@ -72,6 +73,12 @@ static struct config_keyset json_kset = {
 			.options = CONFIG_OPT_NONE,
 			.u = { .value = 1 },
 		},
+		[JSON_CONF_EVENTV1] = {
+			.key = "eventv1",
+			.type = CONFIG_TYPE_INT,
+			.options = CONFIG_OPT_NONE,
+			.u = { .value = 0 },
+		},
 		[JSON_CONF_DEVICE] = {
 			.key = "device",
 			.type = CONFIG_TYPE_STRING,
@@ -101,6 +108,9 @@ static int json_interp(struct ulogd_pluginstance *upi)
 		return ULOGD_IRET_ERR;
 	}
 
+	if (upi->config_kset->ces[JSON_CONF_EVENTV1].u.value != 0)
+		json_object_set_new(msg, "@version", json_integer(1));
+
 	if (upi->config_kset->ces[JSON_CONF_TIMESTAMP].u.value != 0) {
 		time_t now;
 		char timestr[MAX_LOCAL_TIME_STRING];
@@ -130,7 +140,10 @@ static int json_interp(struct ulogd_pluginstance *upi)
 					t->tm_min, t->tm_sec);
 		}
 
-		json_object_set_new(msg, "timestamp", json_string(timestr));
+		if (upi->config_kset->ces[JSON_CONF_EVENTV1].u.value != 0)
+			json_object_set_new(msg, "@timestamp", json_string(timestr));
+		else
+			json_object_set_new(msg, "timestamp", json_string(timestr));
 	}
 
 	if (upi->config_kset->ces[JSON_CONF_DEVICE].u.string) {
diff --git a/ulogd.conf.in b/ulogd.conf.in
index 8893175..9624a4b 100644
--- a/ulogd.conf.in
+++ b/ulogd.conf.in
@@ -209,6 +209,9 @@ sync=1
 # by the input plugin is coding the action on packet: if 0, then
 # packet has been blocked and if non null it has been accepted.
 #boolean_label=1
+# Uncomment the following line to use JSON v1 event format that
+# can provide better compatility with some JSON file reader.
+#eventv1=1
 
 [pcap1]
 #default file is /var/log/ulogd.pcap