Use separate-json-attributes
forensicmatt opened this issue · comments
Curious why not use separate-json-attributes
for the EvtxParserSettings?
The issue with not using this settings is that it causes inconsistent json attribute naming standard:
When ever a XML element as an attribute, the JSON field will split into a #text
and #attributes
. This causes issues on many fronts. Using separate-json-attributes
setting for the parser will normalize the fields and an XML element's value will always be the field name and any element attributes will be placed under <ELEMENT_NAME>_attributes
. This prevents inconsistent field names in JSON serializations.
Some other references:
If you are open to this I can create a PR
Thanks for raising this issue. I have created PR #54 which should implement what you're discussing here. Do you want to take a look and make sure I've implemented it as you were thinking?
I'll merge into master once it's been reviewed.
Looks good. Now you wont have to guess when its going to be Attribute
or Attribute.#text