From 63b9f6c3243cbfaae173cc77783f39ef18700393 Mon Sep 17 00:00:00 2001
From: BenB196 <benbrenek@yahoo.com>
Date: Tue, 19 Nov 2019 19:15:54 -0500
Subject: [PATCH] Added support for new FFS fields

Resolves issue #17
---
 README.md |  5 +++++
 ffs.go    | 25 +++++++++++++++++++++++--
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 53d7348..e35058a 100644
--- a/README.md
+++ b/README.md
@@ -143,6 +143,11 @@ FileEvent
     RemovableMediaVolumeName    string          (potentially empty)
     RemovableMediaPartitionId   string          (potentially empty)
     SyncDestination             string	        (potentially empty)
+    EmailDLPPolicyName          string          (potentially empty)
+	EmailDLPSubject             string          (potentially empty)
+	EmailDLPSender              string          (potentially empty)
+	EmailDLPFrom                string          (potentially empty)
+	EmailDLPRecipients          []string        (potentially empty)
 ```
 
 - error - Any errors.
diff --git a/ffs.go b/ffs.go
index ce14e25..9848e7e 100644
--- a/ffs.go
+++ b/ffs.go
@@ -62,10 +62,15 @@ type FileEvent struct {
 	RemovableMediaVolumeName	string			`json:"removableMediaVolumeName,omitempty"`
 	RemovableMediaPartitionId	string			`json:"removableMediaPartitionId,omitempty"`
 	SyncDestination				string			`json:"syncDestination,omitempty"`
+	EmailDLPPolicyName			string			`json:"emailDLPPolicyName,omitempty"`
+	EmailDLPSubject				string			`json:"emailDLPSubject,omitempty"`
+	EmailDLPSender				string			`json:"emailDLPSender,omitempty"`
+	EmailDLPFrom				string			`json:"emailDLPFrom,omitempty"`
+	EmailDLPRecipients			[]string		`json:"emailDLPRecipients,omitempty"`
 }
 
 //Currently recognized csv headers
-var csvHeaders = []string{"Event ID", "Event type", "Date Observed (UTC)", "Date Inserted (UTC)", "File path", "Filename", "File type", "File Category", "File size (bytes)", "File Owner", "MD5 Hash", "SHA-256 Hash", "Create Date", "Modified Date", "Username", "Device ID", "User UID", "Hostname", "Fully Qualified Domain Name", "IP address (public)", "IP address (private)", "Actor", "Directory ID", "Source", "URL", "Shared", "Shared With", "File exposure changed to", "Cloud drive ID", "Detection Source Alias", "File Id", "Exposure Type", "Process Owner", "Process Name", "Tab/Window Title", "Tab URL", "Removable Media Vendor", "Removable Media Name", "Removable Media Serial Number", "Removable Media Capacity", "Removable Media Bus Type", "Removable Media Media Name", "Removable Media Volume Name", "Removable Media Partition Id", "Sync Destination"}
+var csvHeaders = []string{"Event ID", "Event type", "Date Observed (UTC)", "Date Inserted (UTC)", "File path", "Filename", "File type", "File Category", "File size (bytes)", "File Owner", "MD5 Hash", "SHA-256 Hash", "Create Date", "Modified Date", "Username", "Device ID", "User UID", "Hostname", "Fully Qualified Domain Name", "IP address (public)", "IP address (private)", "Actor", "Directory ID", "Source", "URL", "Shared", "Shared With", "File exposure changed to", "Cloud drive ID", "Detection Source Alias", "File Id", "Exposure Type", "Process Owner", "Process Name", "Tab/Window Title", "Tab URL", "Removable Media Vendor", "Removable Media Name", "Removable Media Serial Number", "Removable Media Capacity", "Removable Media Bus Type", "Removable Media Media Name", "Removable Media Volume Name", "Removable Media Partition Id", "Sync Destination", "Email DLP Policy Name", "Email DLP Subject", "Email DLP Sender", "Email DLP From", "Email DLP Recipients"}
 
 //Structs of Crashplan FFS API Authentication Token Return
 type AuthData struct {
@@ -207,7 +212,11 @@ func csvLineToFileEvent(csvLine []string) FileEvent {
 	removableMediaVolumeName := csvLine[42]
 	removableMediaPartitionId := csvLine[43]
 	syncDestination := csvLine[44]
-
+	emailDLPPolicyName := csvLine[45]
+	emailDLPSubject := csvLine[46]
+	emailDLPSender := csvLine[47]
+	emailDLPFrom := csvLine[48]
+	emailDLPRecipientsString := csvLine[49] //Convert to slice below
 
 	//Set err
 	var err error
@@ -318,6 +327,13 @@ func csvLineToFileEvent(csvLine []string) FileEvent {
 		exposure = strings.Split(exposureString,",")
 	}
 
+	//Convert emailDLPRecipients to string slice
+	var emailDLPRecipients []string
+	if emailDLPRecipientsString != "" {
+		emailDLPRecipientsString := strings.Replace(emailDLPRecipientsString, "\n","",-1)
+		exposure = strings.Split(emailDLPRecipientsString,",")
+	}
+
 	//Convert removableMediaCapacity to int
 	var removableMediaCapacity int
 	if removableMediaCapacityString != "" {
@@ -380,6 +396,11 @@ func csvLineToFileEvent(csvLine []string) FileEvent {
 		RemovableMediaVolumeName:	removableMediaVolumeName,
 		RemovableMediaPartitionId:	removableMediaPartitionId,
 		SyncDestination:            syncDestination,
+		EmailDLPPolicyName:			emailDLPPolicyName,
+		EmailDLPSubject:			emailDLPSubject,
+		EmailDLPSender:				emailDLPSender,
+		EmailDLPFrom:				emailDLPFrom,
+		EmailDLPRecipients:			emailDLPRecipients,
 	}
 
 	//set eventTimestamp to nil if empty string