From 8f5f5b329debe4c77ee37691a0e0546f5301bf6a Mon Sep 17 00:00:00 2001
From: William Ballenthin <william.ballenthin@fireeye.com>
Date: Fri, 26 Jun 2020 18:31:26 -0600
Subject: [PATCH] rule: declare the expected hidden meta fields

---
 capa/rules.py | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/capa/rules.py b/capa/rules.py
index a742a40d..15b2d7a5 100644
--- a/capa/rules.py
+++ b/capa/rules.py
@@ -21,7 +21,12 @@ logger = logging.getLogger(__name__)
 
 # these are the standard metadata fields, in the preferred order.
 # when reformatted, any custom keys will come after these.
-META_KEYS = ("name", "namespace", "rule-category", "author", "description", "lib", "scope", "att&ck", "mbc", "references", "examples")
+META_KEYS = ("name", "namespace", "rule-category", "maec/malware-category", "author", "description", "lib", "scope", "att&ck", "mbc", "references", "examples")
+# these are meta fields that are internal to capa,
+# and added during rule reading/construction.
+# they may help use manipulate or index rules,
+# but should not be exposed to clients.
+HIDDEN_META_KEYS = ("capa/nursery", "capa/path")
 
 
 FILE_SCOPE = 'file'
@@ -566,14 +571,12 @@ class Rule(object):
                 continue
             move_to_end(meta, key)
 
-        # these are meta fields that are internal to capa,
-        # and added during rule reading/construction.
-        # they may help use manipulate or index rules,
-        # but should not be exposed to clients.
-        hidden_meta_keys = ("capa/nursery", "capa/path")
+        # save off the existing hidden meta values,
+        # emit the document,
+        # and re-add the hidden meta.
         hidden_meta = {
             key: meta.get(key)
-            for key in hidden_meta_keys
+            for key in HIDDEN_META_KEYS
         }
 
         for key in hidden_meta.keys():