From 9710a7773418d0e45196ca5a138ced0dd7d218c9 Mon Sep 17 00:00:00 2001
From: Guillaume Destuynder <kang@mozilla.com>
Date: Fri, 12 Feb 2016 14:07:47 -0800
Subject: [PATCH] Re-introduce ppid (parent process id) in order to be able to
 recreate the exact process tree from logs

---
 audisp-json.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/audisp-json.c b/audisp-json.c
index 0130eca..d1ab463 100644
--- a/audisp-json.c
+++ b/audisp-json.c
@@ -1027,6 +1027,8 @@ static void handle_event(auparse_state_t *au,
 				goto_record_type(au, type);
 				json_msg.details = json_add_attr(json_msg.details, "process", auparse_find_field(au, "exe"));
 				goto_record_type(au, type);
+				json_msg.details = json_add_attr(json_msg.details, "ppid", auparse_find_field(au, "ppid"));
+				goto_record_type(au, type);
 				json_msg.details = json_add_attr(json_msg.details, "pid", auparse_find_field(au, "pid"));
 				goto_record_type(au, type);
 				json_msg.details = json_add_attr(json_msg.details, "gid", auparse_find_field(au, "gid"));