From d3938b61d289accc1148f883182d59f17ad53aaf Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Thu, 19 Mar 2026 12:39:37 -0400
Subject: [PATCH] ja4plus nest enabled under ja4plus key for defaults

---
 salt/zeek/config.sls    | 2 +-
 salt/zeek/defaults.yaml | 3 ++-
 salt/zeek/soc_zeek.yaml | 9 +++++----
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/salt/zeek/config.sls b/salt/zeek/config.sls
index 2f58e3846..168e950cb 100644
--- a/salt/zeek/config.sls
+++ b/salt/zeek/config.sls
@@ -167,7 +167,7 @@ zeekja4cfg:
     - group: 939
     - template: jinja
     - defaults:
-        JA4PLUS: {{ ZEEKMERGED.ja4plus }}
+        JA4PLUS: {{ ZEEKMERGED.ja4plus.enabled }}
 
 # BPF compilation failed
 {% if ZEEKBPF and not ZEEK_BPF_STATUS %}
diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml
index 033ed9919..4058b01b8 100644
--- a/salt/zeek/defaults.yaml
+++ b/salt/zeek/defaults.yaml
@@ -1,6 +1,7 @@
 zeek:
   enabled: False
-  ja4plus: False
+  ja4plus:
+    enabled: False
   config:
     node:
       lb_procs: 0
diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml
index 4c9b70efb..ccb57acbb 100644
--- a/salt/zeek/soc_zeek.yaml
+++ b/salt/zeek/soc_zeek.yaml
@@ -3,10 +3,11 @@ zeek:
     description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled.
     helpLink: zeek
   ja4plus:
-    description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license  [https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)."
-    forcedType: bool
-    helpLink: zeek
-    advanced: False
+    enabled:
+      description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license  [https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)."
+      forcedType: bool
+      helpLink: zeek
+      advanced: False
   config:
     local:
       load: