Custom Fields not visible in UI when Alert is added via /api/alert

[hkelley]

I post the following alert to TheHive 4.1.2-1 via the API.

Alert is created but customFields comes back empty. Do custom fields only work with template?

{
    "title":  "High Connection Count: 9.9.2.10",
    "description":  "9.9.2.10 [PTR: xyzdc1.xyz.net] connected to 210 unique sockets across 99 hosts. \r\nPorts included: 135,389,137,443,445. \r\nTraffic observed during 2021-04-19T17:32:17.738Z to 2021-04-19T18:32:09.737Z.",
    "type":  "netflow",
    "source":  "9.9.2.10",
    "sourceRef":  "High Connection Count",
    "severity":  1,
    "tlp":  1,
    "customField":  {
                        "clientContext":  {
                                              "string":  "\u003chttps://abc.net/investigate/events/en-US/app/eam2/investigate__ip?form.sourceip=9.9.2.10\u0026earliest=2021-04-19T17:32:17.738Z\u0026latest=2021-04-19T18:32:09.737Z|IP Search\u003e",
                                              "order":  0
                                          }
                    },
    "artifacts":  [
                      {
                          "dataType":  "ip",
                          "data":  "9.9.2.10",
                          "message":  "source IP reported by netflow"
                      },
                      {
                          "dataType":  "domain",
                          "data":  "xyzdc1.xyz.net",
                          "message":  "Reverse DNS at the time of alert creation"
                      }
                  ]
}

[MauricioUrb]

Hello, did you solve this issue? I have the same problem... Searching how to solve this error I got here, and considering other tests I have made and versions of the requiered software in my tests is hard to believe the solution may be in some software incompatibility

I have tried TheHive 4 and 3.5 with elasticsearch 7, and the latests versions of python and thehive4py. The "only difference" is on my tests I got to download python-magic 0.4.25, but on the machine I use the api (client that connects to the server with the hive) I can only download the 0.4.14 version to make the api work. Do you think this could be part of the issue?

Another thing I don't think is causing this problem is the ssl part, because all other info is shown with no problem (before using the correct way the ssl part I wanted to make my script ok)

On the json it shows the customFields but like you said in the UI is empty (not even the message "No data available" when there is nothing), If the alert is promoted to a case there's algo nothing on the customFields. So some how the data is inserted but not queried to the UI.

I hope you can help me. Best regards.