Different of extra-data and overwrite in xff config section

Hi , I’m setting up xff config like this, I tried set up “overwrite” to xff.mode. but the src_ip or flow.src_ip always be proxy server’ ip, not the xff ip in alert.json log file.

outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: alert.json
      types:
        - alert:
            payload: no
            payload-buffer-size: 4kb
            payload-printable: yes
            http-header: yes
            http-body: no
            http-body-printable: yes
            tagged-packets: yes
            metadata:
              app-layer: true
              flow: true
              rule:
                metadata: true
                raw: false
      xff:
        enabled: yes
        mode: overwrite
        deployment: reverse
        header: X-Forwarded-For,X-Real-IP

example log:

{
	"alert": {
		"action": "allowed",
		"category": "Web Application Attack",
		"gid": 1,
		"rev": 1,
		"severity": 1,
		"signature": "Atlassian Confluence 凭证硬编码攻击(CVE-2022-26138)",
		"signature_id": 1000030
	},
	"app_proto": "http",
	"dest_ip": "10.x.x.x",
	"dest_port": 8090,
	"direction": "to_server",
	"event_type": "alert",
	"files": [{
		"filename": "/dologin.action",
		"gaps": false,
		"size": 114,
		"state": "CLOSED",
		"stored": false,
		"tx_id": 0
	}],
	"flow": {
		"bytes_toclient": 1473,
		"bytes_toserver": 694,
		"dest_ip": "10.x.x.x",
		"dest_port": 8090,
		"pkts_toclient": 4,
		"pkts_toserver": 4,
		"src_ip": "10.x.x.x",
		"src_port": 36282,
		"start": "2024-06-24T11:19:42.223828+0800"
	},
	"flow_id": 1805762209527624,
	"host": "nta01",
	"http": {
		"hostname": "x.com",
		"http_content_type": "text/html",
		"http_method": "POST",
		"http_request_body_printable": "os_username=disabledsystemuser&os_password=disabled1system1user6708&login=Log+in&os_destination=%2Fhttpvoid.action",
		"http_response_body_printable": "<!DOCTYPE html><html><head></head><body><div id=app></div></body></html>",
		"http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
		"length": 1051,
		"protocol": "HTTP/1.1",
		"status": 404,
		"url": "/dologin.action",
		"xff": "51.15.230.111"
	},
	"in_iface": "eth1",
	"payload_printable": "POST /dologin.action HTTP/1.1\r\nHost: x.com\r\nX-Forwarded-For: 51.15.230.111\r\nConnection: close\r\nContent-Length: 114\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip\r\n\r\nos_username=disabledsystemuser&os_password=disabled1system1user6708&login=Log+in&os_destination=%2Fhttpvoid.action",
	"pkt_src": "wire/pcap",
	"proto": "TCP",
	"src_ip": "10.x.x.x",
	"src_port": 36282,
	"stream": 1,
	"timestamp": "2024-06-24T11:19:42.228988+0800",
	"tx_id": 0,
	"vlan": [
		1235
	]
}

Could you provide an example pcap?

sorry. it was expired. and there are some sense keyword about my company. so I can’t provide it