Add names of attributes to parsed EventData

[PsySuck]

Hi. When parse_description is false, eventdata will be added to message, but only values. Example: "EventData":["2478079","2023-02-03","200","Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/109.0.0.0+Safari/537.36+Edg/109.0.1518.78"]} But in xml: <EventData> <Data Name="EnabledFieldsFlags">2478079</Data> <Data Name="date">2023-02-07</Data> <Data Name="sc-status">200</Data> <Data Name="csUser-Agent">Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/109.0.0.0+Safari/537.36</Data> </EventData> Is it possible to add name of attributes to parsed EventData? "EventData":["EnabledFieldsFlags":"2478079","date":"2023-02-03","sc-status":"200","csUser-Agent":"Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/109.0.0.0+Safari/537.36+Edg/109.0.1518.78"]}

[daipom]

I see. Looks like it is not possible now. It looks like the library winevt_c does not have the feature:

https://github.com/fluent-plugins-nursery/winevt_c/blob/9dd9c81432b1e0180c7abc19de8415bb42db2e49/ext/winevt/winevt_utils.cpp#L172-L405

I'm not sure how to achieve this as a Win32 API in the first place. It looks like there is no description of how to take the Data Name of the EventData (The result for EvtRenderContextUser).

• https://learn.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtrender
• https://learn.microsoft.com/en-us/windows/win32/wes/rendering-events

If we figure out how to use the Win32 API for this, it would be possible to improve the library.