stream/tcp: account for midstream sessions

Commit 497394e removed inspection of app-proto txs for packets
without an established TCP connection. But this meant that the
first packet seen in a session pick mid-stream could go without
inspection (previous bug 5510 seemed to point towards this behavior,
too).
If a flow has more packets, the stream will be inspected as part of
the upcoming packets and this would go unnoticed. In a single-packet
flow, however, the inspection for the packed would be skipped. Although
this might not affect alerts -- as they could be processed as part of
the flow timeout logic, the actual traffic could be evaded in IPS, in
case of a drop rule.

From the above, the most visible scenario is when there is only one packet on the flow,
as then the engine doesn't have "more time" to pick-up real-packets to
inspect for that given flow. But certain tests show that this can also
happen for more than one packet scenarios: there will be one less drop
event, or traffic from a packet that should have been already dropped
will be logged.

This led to the possibility of a real packet not being blocked, in IPS,
or matched against rules, as the corresponding portion of the stream
was only inspected later, as part of the stream/flow-timeout logic.

To ensure that we correctly flag the first packet seen for a given mid-stream
session, we must check for the session state *after* we have dealt with
TCP flags and state.

Related to
Bug #5510

As part of
Bug #5180

Author: jufajardini

src/stream-tcp.c

@@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2025 Open Information Security Foundation
+/* Copyright (C) 2007-2026 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -5731,6 +5731,7 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
         if (StreamTcpPacketStateNone(tv, p, stt, ssn) == -1) {
             goto error;
         }
+        ssn = (TcpSession *)p->flow->protoctx;
 
         if (ssn != NULL)
             SCLogDebug("ssn->alproto %"PRIu16"", p->flow->alproto);
@@ -5804,17 +5805,19 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
 
     skip:
         StreamTcpPacketCheckPostRst(ssn, p);
-
-        if (ssn->state >= TCP_ESTABLISHED) {
-            p->flags |= PKT_STREAM_EST;
-        }
     }
 
     if (ssn != NULL) {
         /* recalc the csum on the packet if it was modified */
         if (p->flags & PKT_STREAM_MODIFIED) {
             ReCalculateChecksum(p);
         }
+
+        /* if ssn was set in this run (e.g. midstream cases), reflect TCP state on the packet */
+        if (ssn->state >= TCP_ESTABLISHED) {
+            p->flags |= PKT_STREAM_EST;
+        }
+
         /* check for conditions that may make us not want to log this packet */
 
         /* streams that hit depth */