From 4f0bd67ca9441f176da722f6392a1fe044e9ee38 Mon Sep 17 00:00:00 2001
From: DustInDark <nextsasasa@gmail.com>
Date: Thu, 9 Jun 2022 01:16:27 +0900
Subject: [PATCH] changed treat of suffix in data #487

---
 src/detections/print.rs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/detections/print.rs b/src/detections/print.rs
index 9f5dc78e..5680ab63 100644
--- a/src/detections/print.rs
+++ b/src/detections/print.rs
@@ -177,11 +177,11 @@ impl Message {
                 Some(cap) => cap.get(1).map_or(-1, |a| a.as_str().parse().unwrap_or(-1)),
                 None => -1,
             };
-            if suffix >= 0 {
+            if suffix >= 1 {
                 tmp_event_record = tmp_event_record
                     .get("Data")
                     .unwrap()
-                    .get(suffix as usize)
+                    .get((suffix - 1) as usize)
                     .unwrap_or(tmp_event_record);
             }
             let hash_value = get_serde_number_to_string(tmp_event_record);
@@ -614,7 +614,7 @@ mod tests {
         assert_eq!(
             message.parse_message(
                 &event_record,
-                "commandline:%CommandLine% data:%Data[1]%".to_owned()
+                "commandline:%CommandLine% data:%Data[2]%".to_owned()
             ),
             expected,
         );
@@ -647,7 +647,7 @@ mod tests {
         assert_eq!(
             message.parse_message(
                 &event_record,
-                "commandline:%CommandLine% data:%Data[-1]%".to_owned()
+                "commandline:%CommandLine% data:%Data[0]%".to_owned()
             ),
             expected,
         );