Move file_analysis code to zeek namespaces

2025-10-04 15:48:19 +00:00 · 2020-08-01 10:47:36 -07:00 · 2020-08-01 10:47:36 -07:00 · 14408235b8
commit 14408235b8
parent 8411adf9e1
66 changed files with 554 additions and 410 deletions
--- a/src/Reporter.h
+++ b/src/Reporter.h
@ -16,7 +16,7 @@
 #include "net_util.h"
 ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer);
-namespace file_analysis { class File; }
+ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Connection, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(EventHandlerPtr, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
--- a/src/analyzer/protocol/file/File.cc
+++ b/src/analyzer/protocol/file/File.cc
@ -33,10 +33,10 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	if ( orig )
-		file_id_orig = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(),
+		file_id_orig = zeek::file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(),
 		                                      orig, file_id_orig);
 	else
-		file_id_resp = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(),
+		file_id_resp = zeek::file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(),
 		                                      orig, file_id_resp);
 	}
@ -45,10 +45,10 @@ void File_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	if ( orig )
-		file_id_orig = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig,
+		file_id_orig = zeek::file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig,
 		                                   file_id_orig);
 	else
-		file_id_resp = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig,
+		file_id_resp = zeek::file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig,
 		                                   file_id_resp);
 	}
@ -60,20 +60,20 @@ void File_Analyzer::Done()
 		Identify();
 	if ( ! file_id_orig.empty() )
-		file_mgr->EndOfFile(file_id_orig);
+		zeek::file_mgr->EndOfFile(file_id_orig);
 	else
-		file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true);
+		zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true);
 	if ( ! file_id_resp.empty() )
-		file_mgr->EndOfFile(file_id_resp);
+		zeek::file_mgr->EndOfFile(file_id_resp);
 	else
-		file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false);
+		zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false);
 	}
 void File_Analyzer::Identify()
 	{
 	zeek::detail::RuleMatcher::MIME_Matches matches;
-	file_mgr->DetectMIME(reinterpret_cast<const u_char*>(buffer), buffer_len,
+	zeek::file_mgr->DetectMIME(reinterpret_cast<const u_char*>(buffer), buffer_len,
 	                           &matches);
 	std::string match = matches.empty() ? "<unknown>"
 		: *(matches.begin()->second.begin());
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@ -248,14 +248,17 @@ bool HTTP_Entity::Undelivered(int64_t len)
 	if ( is_partial_content )
 		{
-		precomputed_file_id = file_mgr->Gap(body_length, len,
+		precomputed_file_id = zeek::file_mgr->Gap(
 			body_length, len,
 			http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
 			http_message->MyHTTP_Analyzer()->Conn(),
 			http_message->IsOrig(), precomputed_file_id);
 		offset += len;
 		}
 	else
-		precomputed_file_id = file_mgr->Gap(body_length, len,
+		precomputed_file_id = zeek::file_mgr->Gap(
 			body_length, len,
 			http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
 			http_message->MyHTTP_Analyzer()->Conn(),
 			http_message->IsOrig(),
@ -313,12 +316,14 @@ void HTTP_Entity::SubmitData(int len, const char* buf)
 	if ( is_partial_content )
 		{
 		if ( send_size && instance_length > 0 )
-			precomputed_file_id = file_mgr->SetSize(instance_length,
+			precomputed_file_id = zeek::file_mgr->SetSize(
 				instance_length,
 				http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
 				http_message->MyHTTP_Analyzer()->Conn(),
 				http_message->IsOrig(), precomputed_file_id);
-		precomputed_file_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len, offset,
+		precomputed_file_id = zeek::file_mgr->DataIn(
 			reinterpret_cast<const u_char*>(buf), len, offset,
 			http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
 			http_message->MyHTTP_Analyzer()->Conn(),
 			http_message->IsOrig(), precomputed_file_id);
@ -328,13 +333,15 @@ void HTTP_Entity::SubmitData(int len, const char* buf)
 	else
 		{
 		if ( send_size && content_length > 0 )
-			precomputed_file_id = file_mgr->SetSize(content_length,
+			precomputed_file_id = zeek::file_mgr->SetSize(
 				content_length,
 				http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
 				http_message->MyHTTP_Analyzer()->Conn(),
 				http_message->IsOrig(),
 				precomputed_file_id);
-		precomputed_file_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf),
+		precomputed_file_id = zeek::file_mgr->DataIn(
 			reinterpret_cast<const u_char*>(buf),
 			len,
 			http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
 			http_message->MyHTTP_Analyzer()->Conn(),
@ -643,9 +650,9 @@ void HTTP_Message::Done(bool interrupted, const char* detail)
 		HTTP_Entity* he = dynamic_cast<HTTP_Entity*>(top_level);
 		if ( he && ! he->FileID().empty() )
-			file_mgr->EndOfFile(he->FileID());
+			zeek::file_mgr->EndOfFile(he->FileID());
 		else
-			file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(),
+			zeek::file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(),
 			                          MyHTTP_Analyzer()->Conn(), is_orig);
 		}
@ -723,9 +730,9 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
 		HTTP_Entity* he = dynamic_cast<HTTP_Entity*>(entity);
 		if ( he && ! he->FileID().empty() )
-			file_mgr->EndOfFile(he->FileID());
+			zeek::file_mgr->EndOfFile(he->FileID());
 		else
-			file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(),
+			zeek::file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(),
 			                          MyHTTP_Analyzer()->Conn(), is_orig);
 		}
 	}
@ -879,12 +886,12 @@ void HTTP_Analyzer::Done()
 	unanswered_requests = {};
-	file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true);
+	zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true);
 	/* TODO: this might be nice to have, but reply code is cleared by now.
 	if ( HTTP_ReplyCode() != 206 )
 		// multipart/byteranges may span multiple connections
-		file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false);
+		zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false);
 	*/
 	}
--- a/src/analyzer/protocol/krb/krb-padata.pac
+++ b/src/analyzer/protocol/krb/krb-padata.pac
@ -73,12 +73,13 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz
 				file_handle.Add(common.Description());
 				file_handle.Add(0);
-				string file_id = file_mgr->HashHandle(file_handle.Description());
+				string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
-				file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
+				zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
 				                       cert.length(), bro_analyzer->GetAnalyzerTag(),
-				                 bro_analyzer->Conn(), true, file_id, "application/x-x509-user-cert");
+				                       bro_analyzer->Conn(), true, file_id,
-				file_mgr->EndOfFile(file_id);
+				                       "application/x-x509-user-cert");
 				zeek::file_mgr->EndOfFile(file_id);
 				break;
 				}
@ -97,12 +98,13 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz
 				file_handle.Add(common.Description());
 				file_handle.Add(1);
-				string file_id = file_mgr->HashHandle(file_handle.Description());
+				string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
-				file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
+				zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
 				                       cert.length(), bro_analyzer->GetAnalyzerTag(),
-				                 bro_analyzer->Conn(), false, file_id, "application/x-x509-user-cert");
+				                       bro_analyzer->Conn(), false, file_id,
-				file_mgr->EndOfFile(file_id);
+				                       "application/x-x509-user-cert");
 				zeek::file_mgr->EndOfFile(file_id);
 				break;
 				}
--- a/src/analyzer/protocol/mime/MIME.cc
+++ b/src/analyzer/protocol/mime/MIME.cc
@ -150,7 +150,7 @@ int fputs(zeek::data_chunk_t b, FILE* fp)
 void MIME_Mail::Undelivered(int len)
 	{
-	cur_entity_id = file_mgr->Gap(cur_entity_len, len,
+	cur_entity_id = zeek::file_mgr->Gap(cur_entity_len, len,
 	                                    analyzer->GetAnalyzerTag(), analyzer->Conn(),
 	                                    is_orig, cur_entity_id);
 	}
@ -1387,7 +1387,7 @@ void MIME_Mail::Done()
 	MIME_Message::Done();
-	file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
+	zeek::file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
 	}
 MIME_Mail::~MIME_Mail()
@ -1433,7 +1433,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
 	if ( mime_end_entity )
 		analyzer->EnqueueConnEvent(mime_end_entity, analyzer->ConnVal());
-	file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
+	zeek::file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
 	cur_entity_id.clear();
 	}
@ -1492,7 +1492,8 @@ void MIME_Mail::SubmitData(int len, const char* buf)
 		);
 		}
-	cur_entity_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
+	cur_entity_id = zeek::file_mgr->DataIn(
 		reinterpret_cast<const u_char*>(buf), len,
 		analyzer->GetAnalyzerTag(), analyzer->Conn(), is_orig,
 		cur_entity_id);
--- a/src/analyzer/protocol/rdp/rdp-analyzer.pac
+++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac
@ -212,15 +212,15 @@ refine flow RDP_Flow += {
 		file_handle.AddRaw("Analyzer::ANALYZER_RDP");
 		file_handle.Add(connection()->bro_analyzer()->Conn()->StartTime());
 		connection()->bro_analyzer()->Conn()->IDString(&file_handle);
-		string file_id = file_mgr->HashHandle(file_handle.Description());
+		string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
-		file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
+		zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
 		                       cert.length(),
 		                       connection()->bro_analyzer()->GetAnalyzerTag(),
 		                       connection()->bro_analyzer()->Conn(),
 		                       false, // It seems there are only server certs?
 		                       file_id, "application/x-x509-user-cert");
-		file_mgr->EndOfFile(file_id);
+		zeek::file_mgr->EndOfFile(file_id);
 		return true;
 		%}
--- a/src/analyzer/protocol/smb/smb1-com-close.pac
+++ b/src/analyzer/protocol/smb/smb1-com-close.pac
@ -8,7 +8,7 @@ refine connection SMB_Conn += {
 			                                     SMBHeaderVal(h),
 			                                     ${val.file_id});
-		file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
+		zeek::file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
 		                          bro_analyzer()->Conn(), h->is_orig());
 		return true;
--- a/src/analyzer/protocol/smb/smb1-com-read-andx.pac
+++ b/src/analyzer/protocol/smb/smb1-com-read-andx.pac
@ -33,7 +33,7 @@ refine connection SMB_Conn += {
 			uint64 offset = read_offsets[${h.mid}];
 			read_offsets.erase(${h.mid});
-			file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset,
+			zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset,
 			                       bro_analyzer()->GetAnalyzerTag(),
 			                       bro_analyzer()->Conn(), h->is_orig());
 			}
--- a/src/analyzer/protocol/smb/smb1-com-write-andx.pac
+++ b/src/analyzer/protocol/smb/smb1-com-write-andx.pac
@ -12,7 +12,7 @@ refine connection SMB_Conn += {
 		if ( ! ${h.is_pipe} && ${val.data}.length() > 0 )
 			{
-			file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(),
+			zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(),
 			                       ${val.write_offset},
 			                       bro_analyzer()->GetAnalyzerTag(),
 			                       bro_analyzer()->Conn(), h->is_orig());
--- a/src/analyzer/protocol/smb/smb2-com-close.pac
+++ b/src/analyzer/protocol/smb/smb2-com-close.pac
@ -10,7 +10,7 @@ refine connection SMB_Conn += {
 			                                     BuildSMB2GUID(${val.file_id}));
 			}
-		file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
+		zeek::file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
 		                          bro_analyzer()->Conn(), h->is_orig());
 		return true;
--- a/src/analyzer/protocol/smb/smb2-com-read.pac
+++ b/src/analyzer/protocol/smb/smb2-com-read.pac
@ -50,7 +50,7 @@ refine connection SMB_Conn += {
 		if ( ! ${h.is_pipe} && ${val.data_len} > 0 )
 			{
-			file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset,
+			zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset,
 			                       bro_analyzer()->GetAnalyzerTag(),
 			                       bro_analyzer()->Conn(), h->is_orig());
 			}
--- a/src/analyzer/protocol/smb/smb2-com-write.pac
+++ b/src/analyzer/protocol/smb/smb2-com-write.pac
@ -14,7 +14,7 @@ refine connection SMB_Conn += {
 		if ( ! ${h.is_pipe} && ${val.data}.length() > 0 )
 			{
-			file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, ${val.offset},
+			zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, ${val.offset},
 			                       bro_analyzer()->GetAnalyzerTag(),
 			                       bro_analyzer()->Conn(), h->is_orig());
 			}
--- a/src/analyzer/protocol/ssl/proc-certificate.pac
+++ b/src/analyzer/protocol/ssl/proc-certificate.pac
@ -26,12 +26,13 @@
 			file_handle.Add(common.Description());
 			file_handle.Add(i);
-			string file_id = file_mgr->HashHandle(file_handle.Description());
+			string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
-			file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
+			zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
 			                       cert.length(), bro_analyzer()->GetAnalyzerTag(),
-			                 bro_analyzer()->Conn(), is_orig, file_id, i == 0 ? user_mime : ca_mime);
+			                       bro_analyzer()->Conn(), is_orig,
-			file_mgr->EndOfFile(file_id);
+			                       file_id, i == 0 ? user_mime : ca_mime);
 			zeek::file_mgr->EndOfFile(file_id);
 			}
 		return true;
 		%}
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@ -307,9 +307,9 @@ refine connection Handshake_Conn += {
 			file_handle.Add(common.Description());
 			file_handle.Add("ocsp");
-			string file_id = file_mgr->HashHandle(file_handle.Description());
+			string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
-			file_mgr->DataIn(reinterpret_cast<const u_char*>(response.data()),
+			zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(response.data()),
 			                       response.length(), bro_analyzer()->GetAnalyzerTag(),
 			                       bro_analyzer()->Conn(), false, file_id, "application/ocsp-response");
@ -319,7 +319,7 @@ refine connection Handshake_Conn += {
 				        ${rec.is_orig},
 				        zeek::make_intrusive<zeek::StringVal>(response.length(), (const char*) response.data()));
-			file_mgr->EndOfFile(file_id);
+			zeek::file_mgr->EndOfFile(file_id);
 			}
 		else if ( response.length() == 0 )
 			{
--- a/src/binpac_bro.h
+++ b/src/binpac_bro.h
@ -12,7 +12,7 @@
 namespace binpac {
 using BroAnalyzer = zeek::analyzer::Analyzer*;
-using BroFileAnalyzer = file_analysis::Analyzer;
+	using BroFileAnalyzer = zeek::file_analysis::Analyzer;
 using BroVal = zeek::Val*;
 using BroPortVal = zeek::PortVal*;
 using BroStringVal = zeek::StringVal*;
--- a/src/file_analysis/Analyzer.cc
+++ b/src/file_analysis/Analyzer.cc
@ -4,21 +4,23 @@
 #include "Manager.h"
 #include "Val.h"
-file_analysis::ID file_analysis::Analyzer::id_counter = 0;
+namespace zeek::file_analysis {
-file_analysis::Analyzer::~Analyzer()
+ID Analyzer::id_counter = 0;
 Analyzer::~Analyzer()
 	{
 	DBG_LOG(zeek::DBG_FILE_ANALYSIS, "Destroy file analyzer %s",
 	        file_mgr->GetComponentName(tag).c_str());
 	}
-void file_analysis::Analyzer::SetAnalyzerTag(const file_analysis::Tag& arg_tag)
+void Analyzer::SetAnalyzerTag(const zeek::file_analysis::Tag& arg_tag)
 	{
 	assert(! tag || tag == arg_tag);
 	tag = arg_tag;
 	}
-file_analysis::Analyzer::Analyzer(file_analysis::Tag arg_tag,
+Analyzer::Analyzer(zeek::file_analysis::Tag arg_tag,
                   zeek::RecordValPtr arg_args,
                   File* arg_file)
 	: tag(arg_tag),
@ -30,16 +32,18 @@ file_analysis::Analyzer::Analyzer(file_analysis::Tag arg_tag,
 	id = ++id_counter;
 	}
-file_analysis::Analyzer::Analyzer(zeek::RecordValPtr arg_args, File* arg_file)
+Analyzer::Analyzer(zeek::RecordValPtr arg_args, File* arg_file)
 	: Analyzer({}, std::move(arg_args), arg_file)
 	{}
-file_analysis::Analyzer::Analyzer(file_analysis::Tag arg_tag,
+Analyzer::Analyzer(zeek::file_analysis::Tag arg_tag,
                   zeek::RecordVal* arg_args,
                   File* arg_file)
 	: Analyzer(arg_tag, {zeek::NewRef{}, arg_args}, arg_file)
 	{}
-file_analysis::Analyzer::Analyzer(zeek::RecordVal* arg_args, File* arg_file)
+Analyzer::Analyzer(zeek::RecordVal* arg_args, File* arg_file)
 	: Analyzer({}, {zeek::NewRef{}, arg_args}, arg_file)
 	{}
 } // namespace zeek::file_analysis
--- a/src/file_analysis/Analyzer.h
+++ b/src/file_analysis/Analyzer.h
@ -11,11 +11,11 @@ namespace zeek {
 using RecordValPtr = zeek::IntrusivePtr<RecordVal>;
 }
-namespace file_analysis {
+ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
-class File;
+namespace zeek::file_analysis {
-typedef uint32_t ID;
+using ID = uint32_t;
 /**
 * Base class for analyzers that can be attached to file_analysis::File objects.
@ -185,4 +185,11 @@ private:
 	static ID id_counter;
 };
 } // namespace zeek::file_analysis
 namespace file_analysis {
 	using ID [[deprecated("Remove in v4.1. Use zeek::file_analysis::ID.")]] = zeek::file_analysis::ID;
 	using Analyzer [[deprecated("Remove in v4.1. Use zeek::file_analysis::Analyzer.")]] = zeek::file_analysis::Analyzer;
 } // namespace file_analysis
--- a/src/file_analysis/AnalyzerSet.cc
+++ b/src/file_analysis/AnalyzerSet.cc
@ -8,7 +8,7 @@
 #include "Val.h"
 #include "file_analysis/file_analysis.bif.h"
-using namespace file_analysis;
+namespace zeek::file_analysis::detail {
 static void analyzer_del_func(void* v)
 	{
@ -210,3 +210,5 @@ void AnalyzerSet::DrainModifications()
 	DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] End flushing analyzer mod queue.",
 	        file->GetID().c_str());
 	}
 } // namespace zeek::file_analysis::detail
--- a/src/file_analysis/AnalyzerSet.h
+++ b/src/file_analysis/AnalyzerSet.h
@ -14,10 +14,10 @@ namespace zeek {
 using RecordValPtr = zeek::IntrusivePtr<RecordVal>;
 }
-namespace file_analysis {
+ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, file_analysis);
 ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
-class Analyzer;
+namespace zeek::file_analysis::detail {
 class File;
 /**
 * A set of file analysis analyzers indexed by an \c AnalyzerArgs (script-layer
@ -212,4 +212,8 @@ private:
 	ModQueue mod_queue;	/**< A queue of analyzer additions/removals requests. */
 };
-} // namespace file_analysiss
+} // namespace zeek::file_analysis::detail
 namespace file_analysis {
 	using AnalyzerSet [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::AnalyzerSet.")]] = zeek::file_analysis::detail::AnalyzerSet;
 } // namespace file_analysis
--- a/src/file_analysis/Component.cc
+++ b/src/file_analysis/Component.cc
@ -6,11 +6,11 @@
 #include "../Desc.h"
 #include "../util.h"
-using namespace file_analysis;
+namespace zeek::file_analysis {
 Component::Component(const std::string& name, factory_callback arg_factory, Tag::subtype_t subtype)
 	: zeek::plugin::Component(zeek::plugin::component::FILE_ANALYZER, name),
-	  plugin::TaggedComponent<file_analysis::Tag>(subtype)
+	  zeek::plugin::TaggedComponent<zeek::file_analysis::Tag>(subtype)
 	{
 	factory = arg_factory;
 	factory_func = nullptr;
@ -18,7 +18,7 @@ Component::Component(const std::string& name, factory_callback arg_factory, Tag:
 Component::Component(const std::string& name, factory_function arg_factory, Tag::subtype_t subtype)
 	: zeek::plugin::Component(zeek::plugin::component::FILE_ANALYZER, name),
-	  plugin::TaggedComponent<file_analysis::Tag>(subtype)
+	  zeek::plugin::TaggedComponent<zeek::file_analysis::Tag>(subtype)
 	{
 	factory = nullptr;
 	factory_func = arg_factory;
@ -42,3 +42,5 @@ void Component::DoDescribe(zeek::ODesc* d) const
 		d->Add(CanonicalName());
 		}
 	}
 } // namespace zeek::file_analysis
--- a/src/file_analysis/Component.h
+++ b/src/file_analysis/Component.h
@ -13,11 +13,11 @@ namespace zeek {
 using RecordValPtr = zeek::IntrusivePtr<RecordVal>;
 }
-namespace file_analysis {
+ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, file_analysis);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Manager, zeek, file_analysis);
-class File;
+namespace zeek::file_analysis {
 class Analyzer;
 class Manager;
 /**
 * Component description for plugins providing file analyzers.
@ -26,7 +26,7 @@ class Manager;
 * analyzer component, describing the analyzer.
 */
 class Component : public zeek::plugin::Component,
-                  public plugin::TaggedComponent<file_analysis::Tag> {
+                  public zeek::plugin::TaggedComponent<file_analysis::Tag> {
 public:
 	typedef Analyzer* (*factory_callback)(zeek::RecordVal* args, File* file);
 	using factory_function = Analyzer* (*)(zeek::RecordValPtr args, File* file);
@ -83,10 +83,14 @@ protected:
 	void DoDescribe(zeek::ODesc* d) const override;
 private:
-	friend class file_analysis::Manager;
+	friend class zeek::file_analysis::Manager;
 	factory_callback factory;	// The analyzer's factory callback (deprecated).
 	factory_function factory_func;	// The analyzer's factory callback.
 };
-}
+} // namespace zeek::file_analysis
 namespace file_analysis {
 	using Component [[deprecated("Remove in v4.1. Use zeek::file_analysis::Component.")]] = zeek::file_analysis::Component;
 } // namespace file_analysis
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@ -19,7 +19,7 @@
 #include "analyzer/extract/Extract.h"
-using namespace file_analysis;
+namespace zeek::file_analysis {
 static zeek::TableValPtr empty_connection_table()
 	{
@ -214,7 +214,7 @@ bool File::SetExtractionLimit(zeek::RecordValPtr args, uint64_t bytes)
 	if ( ! a )
 		return false;
-	Extract* e = dynamic_cast<Extract*>(a);
+	auto* e = dynamic_cast<zeek::file_analysis::detail::Extract*>(a);
 	if ( ! e )
 		return false;
@ -250,7 +250,7 @@ bool File::IsComplete() const
 void File::ScheduleInactivityTimer() const
 	{
-	zeek::detail::timer_mgr->Add(new FileTimer(network_time, id, GetTimeoutInterval()));
+	zeek::detail::timer_mgr->Add(new detail::FileTimer(network_time, id, GetTimeoutInterval()));
 	}
 bool File::AddAnalyzer(file_analysis::Tag tag, zeek::RecordVal* args)
@ -655,3 +655,5 @@ bool File::PermitWeird(const char* name, uint64_t threshold, uint64_t rate,
 	{
 	return zeek::detail::PermitWeird(weird_state, name, threshold, rate, duration);
 	}
 } // namespace zeek::file_analysis
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@ -22,10 +22,10 @@ using RecordValPtr = zeek::IntrusivePtr<zeek::RecordVal>;
 using RecordTypePtr = zeek::IntrusivePtr<zeek::RecordType>;
 }
-namespace file_analysis {
+ZEEK_FORWARD_DECLARE_NAMESPACED(FileReassembler, zeek, file_analysis);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Tag, zeek, file_analysis);
-class FileReassembler;
+namespace zeek::file_analysis {
 class Tag;
 /**
 * Wrapper class around \c fa_file record values from script layer.
@ -359,7 +359,7 @@ protected:
 	bool reassembly_enabled;           /**< Whether file stream reassembly is needed. */
 	bool postpone_timeout;     /**< Whether postponing timeout is requested. */
 	bool done;                 /**< If this object is about to be deleted. */
-	AnalyzerSet analyzers;     /**< A set of attached file analyzers. */
+	detail::AnalyzerSet analyzers;     /**< A set of attached file analyzers. */
 	std::list<Analyzer *> done_analyzers; /**< Analyzers we're done with, remembered here until they can be safely deleted. */
 	struct BOF_Buffer {
@ -396,3 +396,7 @@ protected:
 };
 } // namespace file_analysis
 namespace file_analysis {
 	using File [[deprecated("Remove in v4.1. Use zeek::file_analysis::File.")]] = zeek::file_analysis::File;
 } // namespace zeek::file_analysis
--- a/src/file_analysis/FileReassembler.cc
+++ b/src/file_analysis/FileReassembler.cc
@ -1,11 +1,11 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #include "FileReassembler.h"
 #include "File.h"
 ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
-namespace file_analysis {
+namespace zeek::file_analysis {
 class File;
 FileReassembler::FileReassembler(File *f, uint64_t starting_offset)
 	: zeek::Reassembler(starting_offset, zeek::REASSEM_FILE), the_file(f), flushing(false)
--- a/src/file_analysis/FileReassembler.h
+++ b/src/file_analysis/FileReassembler.h
@ -1,3 +1,5 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #pragma once
 #include "Reassem.h"
@ -6,10 +8,9 @@ namespace zeek { class File; }
 using BroFile [[deprecated("Remove in v4.1. Use zeek::File.")]] = zeek::File;
 ZEEK_FORWARD_DECLARE_NAMESPACED(Connection, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
-namespace file_analysis {
+namespace zeek::file_analysis {
 class File;
 class FileReassembler final : public zeek::Reassembler {
 public:
@ -58,4 +59,8 @@ protected:
 	bool flushing;
 };
-} // namespace analyzer::*
+} // namespace zeek::file_analysis
 namespace file_analysis {
 	using FileReassembler [[deprecated("Remove in v4.1. Use zeek::file_analysis::FileReassembler.")]] = zeek::file_analysis::FileReassembler;
 } // namespace file_analysis
--- a/src/file_analysis/FileTimer.cc
+++ b/src/file_analysis/FileTimer.cc
@ -4,7 +4,7 @@
 #include "File.h"
 #include "Manager.h"
-using namespace file_analysis;
+namespace zeek::file_analysis::detail {
 FileTimer::FileTimer(double t, const std::string& id, double interval)
 	: zeek::detail::Timer(t + interval, zeek::detail::TIMER_FILE_ANALYSIS_INACTIVITY), file_id(id)
@ -39,3 +39,5 @@ void FileTimer::Dispatch(double t, bool is_expire)
 	else if ( ! is_expire )
 		file->ScheduleInactivityTimer();
 	}
 } // namespace zeek::file_analysis::detail
--- a/src/file_analysis/FileTimer.h
+++ b/src/file_analysis/FileTimer.h
@ -5,7 +5,7 @@
 #include <string>
 #include "Timer.h"
-namespace file_analysis {
+namespace zeek::file_analysis::detail {
 /**
 * Timer to periodically check if file analysis for a given file is inactive.
@ -33,4 +33,8 @@ private:
 	std::string file_id;
 };
 } // namespace zeek::file_analysis::detail
 namespace file_analysis {
 	using FileTimer [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::FileTimer.")]] = zeek::file_analysis::detail::FileTimer;
 } // namespace file_analysis
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@ -13,12 +13,13 @@
 #include <openssl/md5.h>
 using namespace file_analysis;
 using namespace std;
 namespace zeek::file_analysis {
 Manager::Manager()
-	: plugin::ComponentManager<file_analysis::Tag,
+	: plugin::ComponentManager<zeek::file_analysis::Tag,
-	                           file_analysis::Component>("Files", "Tag"),
+	                           zeek::file_analysis::Component>("Files", "Tag"),
 	  current_file_id(), magic_state(), cumulative_files(0), max_files(0)
 	{
 	}
@ -273,11 +274,11 @@ bool Manager::SetExtractionLimit(const string& file_id,
 	return file->SetExtractionLimit(std::move(args), n);
 	}
-bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag,
+bool Manager::AddAnalyzer(const string& file_id, const zeek::file_analysis::Tag& tag,
                          zeek::RecordVal* args) const
 	{ return AddAnalyzer(file_id, tag, {zeek::NewRef{}, args}); }
-bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag,
+bool Manager::AddAnalyzer(const string& file_id, const zeek::file_analysis::Tag& tag,
                          zeek::RecordValPtr args) const
 	{
 	File* file = LookupFile(file_id);
@ -288,11 +289,11 @@ bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag,
 	return file->AddAnalyzer(tag, std::move(args));
 	}
-bool Manager::RemoveAnalyzer(const string& file_id, const file_analysis::Tag& tag,
+bool Manager::RemoveAnalyzer(const string& file_id, const zeek::file_analysis::Tag& tag,
                             zeek::RecordVal* args) const
 	{ return RemoveAnalyzer(file_id, tag, {zeek::NewRef{}, args}); }
-bool Manager::RemoveAnalyzer(const string& file_id, const file_analysis::Tag& tag,
+bool Manager::RemoveAnalyzer(const string& file_id, const zeek::file_analysis::Tag& tag,
                             zeek::RecordValPtr args) const
 	{
 	File* file = LookupFile(file_id);
@ -518,7 +519,7 @@ string Manager::DetectMIME(const u_char* data, uint64_t len) const
 	return *(matches.begin()->second.begin());
 	}
-zeek::VectorValPtr file_analysis::GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Matches& m)
+zeek::VectorValPtr GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Matches& m)
 	{
 	static auto mime_matches = zeek::id::find_type<zeek::VectorType>("mime_matches");
 	static auto mime_match = zeek::id::find_type<zeek::RecordType>("mime_match");
@ -541,3 +542,5 @@ zeek::VectorValPtr file_analysis::GenMIMEMatchesVal(const zeek::detail::RuleMatc
 	return rval;
 	}
 } // namespace zeek::file_analysis
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@ -11,23 +11,23 @@
 #include "RuleMatcher.h"
 #include "plugin/ComponentManager.h"
 #include "analyzer/Tag.h"
 #include "FileTimer.h"
 ZEEK_FORWARD_DECLARE_NAMESPACED(TableVal, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(VectorVal, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Tag, zeek, analyzer);
 ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Tag, zeek, file_analysis);
 namespace zeek {
 namespace file_analysis {
 class File;
 class Tag;
 /**
 * Main entry point for interacting with file analysis.
 */
-class Manager : public plugin::ComponentManager<Tag, Component> {
+class Manager : public zeek::plugin::ComponentManager<Tag, Component> {
 public:
 	/**
@ -349,7 +349,7 @@ public:
 		{ return cumulative_files; }
 protected:
-	friend class FileTimer;
+	friend class zeek::file_analysis::detail::FileTimer;
 	/**
 	 * Create a new file to be analyzed or retrieve an existing one.
@ -441,3 +441,11 @@ zeek::VectorValPtr GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Match
 } // namespace file_analysis
 extern file_analysis::Manager* file_mgr;
 } // namespace zeek
 namespace file_analysis {
 	using Manager [[deprecated("Remove in v4.1. Use zeek::file_analysis::Manager.")]] = zeek::file_analysis::Manager;
 }
 extern zeek::file_analysis::Manager*& file_mgr [[deprecated("Remove in v4.1. Use zeek::file_mgr.")]];
--- a/src/file_analysis/Tag.cc
+++ b/src/file_analysis/Tag.cc
@ -3,35 +3,37 @@
 #include "Tag.h"
 #include "Manager.h"
-using namespace file_analysis;
+namespace zeek::file_analysis {
-const file_analysis::Tag file_analysis::Tag::Error;
+const Tag Tag::Error;
-file_analysis::Tag::Tag(type_t type, subtype_t subtype)
+Tag::Tag(type_t type, subtype_t subtype)
 	: ::Tag(file_mgr->GetTagType(), type, subtype)
 	{
 	}
-file_analysis::Tag& file_analysis::Tag::operator=(const file_analysis::Tag& other)
+Tag& Tag::operator=(const Tag& other)
 	{
 	zeek::Tag::operator=(other);
 	return *this;
 	}
-const zeek::EnumValPtr& file_analysis::Tag::AsVal() const
+const zeek::EnumValPtr& Tag::AsVal() const
 	{
 	return zeek::Tag::AsVal(file_mgr->GetTagType());
 	}
-zeek::EnumVal* file_analysis::Tag::AsEnumVal() const
+zeek::EnumVal* Tag::AsEnumVal() const
 	{
 	return AsVal().get();
 	}
-file_analysis::Tag::Tag(zeek::EnumValPtr val)
+Tag::Tag(zeek::EnumValPtr val)
 	: zeek::Tag(std::move(val))
 	{ }
-file_analysis::Tag::Tag(zeek::EnumVal* val)
+Tag::Tag(zeek::EnumVal* val)
 	: zeek::Tag({zeek::NewRef{}, val})
 	{ }
 } // namespace zeek::file_analysis
--- a/src/file_analysis/Tag.h
+++ b/src/file_analysis/Tag.h
@ -20,9 +20,9 @@ namespace plugin {
 		zeek::plugin::ComponentManager<T, C>;
 }
-namespace file_analysis {
+ZEEK_FORWARD_DECLARE_NAMESPACED(Component, zeek, file_analysis);
-class Component;
+namespace zeek::file_analysis {
 /**
 * Class to identify a file analyzer type.
@ -122,4 +122,8 @@ protected:
 	explicit Tag(zeek::EnumVal* val);
 };
-}
+} // namespace zeek::file_analysis
 namespace file_analysis {
 	using Tag [[deprecated("Remove in v4.1. Use zeek::file_analysis::Tag.")]] = zeek::file_analysis::Tag;
 } // namespace file_analysis
--- a/src/file_analysis/analyzer/data_event/DataEvent.cc
+++ b/src/file_analysis/analyzer/data_event/DataEvent.cc
@ -9,18 +9,18 @@
 #include "util.h"
 #include "file_analysis/Manager.h"
-using namespace file_analysis;
+namespace zeek::file_analysis::detail {
-DataEvent::DataEvent(zeek::RecordValPtr args, File* file,
+DataEvent::DataEvent(zeek::RecordValPtr args, zeek::file_analysis::File* file,
                     zeek::EventHandlerPtr ce, zeek::EventHandlerPtr se)
-    : file_analysis::Analyzer(file_mgr->GetComponentTag("DATA_EVENT"),
+    : file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("DATA_EVENT"),
 	                          std::move(args), file),
 	chunk_event(ce), stream_event(se)
 	{
 	}
-file_analysis::Analyzer* DataEvent::Instantiate(zeek::RecordValPtr args,
+zeek::file_analysis::Analyzer* DataEvent::Instantiate(zeek::RecordValPtr args,
-                                                File* file)
+                                                      zeek::file_analysis::File* file)
 	{
 	const auto& chunk_val = args->GetField("chunk_event");
 	const auto& stream_val = args->GetField("stream_event");
@ -63,3 +63,5 @@ bool DataEvent::DeliverStream(const u_char* data, uint64_t len)
 	return true;
 	}
 } // namespace zeek::file_analysis::detail
--- a/src/file_analysis/analyzer/data_event/DataEvent.h
+++ b/src/file_analysis/analyzer/data_event/DataEvent.h
@ -9,12 +9,12 @@
 #include "Analyzer.h"
 #include "EventHandler.h"
-namespace file_analysis {
+namespace zeek::file_analysis::detail {
 /**
 * An analyzer to send file data to script-layer via events.
 */
-class DataEvent : public file_analysis::Analyzer {
+class DataEvent : public zeek::file_analysis::Analyzer {
 public:
 	/**
@ -43,8 +43,8 @@ public:
 	 * @return the new DataEvent analyzer instance or a null pointer if
 	 *         no "chunk_event" or "stream_event" field was specfied in \a args.
 	 */
-	static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
+	static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
-	                                            File* file);
+	                                                  zeek::file_analysis::File* file);
 protected:
@ -57,7 +57,7 @@ protected:
 	 * @param se pointer to event handler which will be called to receive
 	 *        sequential file data.
 	 */
-	DataEvent(zeek::RecordValPtr args, File* file,
+	DataEvent(zeek::RecordValPtr args, zeek::file_analysis::File* file,
 	          zeek::EventHandlerPtr ce, zeek::EventHandlerPtr se);
 private:
@ -65,4 +65,10 @@ private:
 	zeek::EventHandlerPtr stream_event;
 };
 } // namespace zeek::file_analysis::detail
 namespace file_analysis {
 	using DataEvent [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::DataEvent.")]] = zeek::file_analysis::detail::DataEvent;
 } // namespace file_analysis
--- a/src/file_analysis/analyzer/data_event/Plugin.cc
+++ b/src/file_analysis/analyzer/data_event/Plugin.cc
@ -4,14 +4,13 @@
 #include "plugin/Plugin.h"
 #include "file_analysis/Component.h"
-namespace plugin {
+namespace zeek::plugin::detail::Zeek_FileDataEvent {
 namespace Zeek_FileDataEvent {
 class Plugin : public zeek::plugin::Plugin {
 public:
 	zeek::plugin::Configuration Configure() override
 		{
-		AddComponent(new ::file_analysis::Component("DATA_EVENT", ::file_analysis::DataEvent::Instantiate));
+		AddComponent(new zeek::file_analysis::Component("DATA_EVENT", zeek::file_analysis::detail::DataEvent::Instantiate));
 		zeek::plugin::Configuration config;
 		config.name = "Zeek::FileDataEvent";
@ -20,5 +19,4 @@ public:
 		}
 } plugin;
-}
+} // namespace zeek::plugin::detail::Zeek_FileDataEvent
 }
--- a/src/file_analysis/analyzer/entropy/Entropy.cc
+++ b/src/file_analysis/analyzer/entropy/Entropy.cc
@ -7,13 +7,12 @@
 #include "Event.h"
 #include "file_analysis/Manager.h"
-using namespace file_analysis;
+namespace zeek::file_analysis::detail {
-Entropy::Entropy(zeek::RecordValPtr args, File* file)
+Entropy::Entropy(zeek::RecordValPtr args, zeek::file_analysis::File* file)
-    : file_analysis::Analyzer(file_mgr->GetComponentTag("ENTROPY"),
+	: zeek::file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("ENTROPY"),
 	                                std::move(args), file)
 	{
 	//entropy->Init();
 	entropy = new zeek::EntropyVal;
 	fed = false;
 	}
@ -23,8 +22,8 @@ Entropy::~Entropy()
 	Unref(entropy);
 	}
-file_analysis::Analyzer* Entropy::Instantiate(zeek::RecordValPtr args,
+zeek::file_analysis::Analyzer* Entropy::Instantiate(zeek::RecordValPtr args,
-                                              File* file)
+                                                    zeek::file_analysis::File* file)
 	{
 	return new Entropy(std::move(args), file);
 	}
@ -51,7 +50,6 @@ bool Entropy::Undelivered(uint64_t offset, uint64_t len)
 void Entropy::Finalize()
 	{
 	//if ( ! entropy->IsValid() || ! fed )
 	if ( ! fed )
 		return;
@ -75,3 +73,5 @@ void Entropy::Finalize()
 	                        std::move(ent_result)
 	);
 	}
 } // namespace zeek::file_analysis::detail
--- a/src/file_analysis/analyzer/entropy/Entropy.h
+++ b/src/file_analysis/analyzer/entropy/Entropy.h
@ -11,12 +11,12 @@
 #include "events.bif.h"
-namespace file_analysis {
+namespace zeek::file_analysis::detail {
 /**
 * An analyzer to produce entropy of file contents.
 */
-class Entropy : public file_analysis::Analyzer {
+class Entropy : public zeek::file_analysis::Analyzer {
 public:
 	/**
@ -31,8 +31,8 @@ public:
 	 * @return the new Entropy analyzer instance or a null pointer if the
 	 *         the "extraction_file" field of \a args wasn't set.
 	 */
-	static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
+	static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
-	                                            File* file);
+	                                                  zeek::file_analysis::File* file);
 	/**
 	 * Calculate entropy of next chunk of file contents.
@ -66,7 +66,7 @@ protected:
 	 * @param hv specific hash calculator object.
 	 * @param kind human readable name of the hash algorithm to use.
 	 */
-	Entropy(zeek::RecordValPtr args, File* file);
+	Entropy(zeek::RecordValPtr args, zeek::file_analysis::File* file);
 	/**
 	 * If some file contents have been seen, finalizes the entropy of them and
@ -79,4 +79,10 @@ private:
 	bool fed;
 };
 } // namespace zeek::file_analysis::detail
 namespace file_analysis {
 	using Entropy [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::Entropy.")]] = zeek::file_analysis::detail::Entropy;
 } // namespace file_analysis
--- a/src/file_analysis/analyzer/entropy/Plugin.cc
+++ b/src/file_analysis/analyzer/entropy/Plugin.cc
@ -4,14 +4,13 @@
 #include "plugin/Plugin.h"
 #include "file_analysis/Component.h"
-namespace plugin {
+namespace zeek::plugin::detail::Zeek_FileEntropy {
 namespace Zeek_FileEntropy {
 class Plugin : public zeek::plugin::Plugin {
 public:
 	zeek::plugin::Configuration Configure() override
 		{
-		AddComponent(new ::file_analysis::Component("ENTROPY", ::file_analysis::Entropy::Instantiate));
+		AddComponent(new zeek::file_analysis::Component("ENTROPY", zeek::file_analysis::detail::Entropy::Instantiate));
 		zeek::plugin::Configuration config;
 		config.name = "Zeek::FileEntropy";
@ -20,5 +19,4 @@ public:
 		}
 } plugin;
-}
+} // namespace zeek::plugin::detail::Zeek_FileEntropy
 }
--- a/src/file_analysis/analyzer/extract/Extract.cc
+++ b/src/file_analysis/analyzer/extract/Extract.cc
@ -8,11 +8,11 @@
 #include "Event.h"
 #include "file_analysis/Manager.h"
-using namespace file_analysis;
+namespace zeek::file_analysis::detail {
-Extract::Extract(zeek::RecordValPtr args, File* file,
+Extract::Extract(zeek::RecordValPtr args, zeek::file_analysis::File* file,
                 const std::string& arg_filename, uint64_t arg_limit)
-    : file_analysis::Analyzer(file_mgr->GetComponentTag("EXTRACT"),
+    : file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("EXTRACT"),
                              std::move(args), file),
      filename(arg_filename), limit(arg_limit), depth(0)
 	{
@ -44,7 +44,8 @@ static const zeek::ValPtr& get_extract_field_val(const zeek::RecordValPtr& args,
 	return rval;
 	}
-file_analysis::Analyzer* Extract::Instantiate(zeek::RecordValPtr args, File* file)
+zeek::file_analysis::Analyzer* Extract::Instantiate(zeek::RecordValPtr args,
                                                    zeek::file_analysis::File* file)
 	{
 	const auto& fname = get_extract_field_val(args, "extract_filename");
 	const auto& limit = get_extract_field_val(args, "extract_limit");
@ -92,7 +93,7 @@ bool Extract::DeliverStream(const u_char* data, uint64_t len)
 	if ( limit_exceeded && file_extraction_limit )
 		{
-		File* f = GetFile();
+		zeek::file_analysis::File* f = GetFile();
 		f->FileEvent(file_extraction_limit, {
 			f->ToVal(),
 			GetArgs(),
@ -125,3 +126,5 @@ bool Extract::Undelivered(uint64_t offset, uint64_t len)
 	return true;
 	}
 } // namespace zeek::file_analysis::detail
--- a/src/file_analysis/analyzer/extract/Extract.h
+++ b/src/file_analysis/analyzer/extract/Extract.h
@ -10,12 +10,12 @@
 #include "analyzer/extract/events.bif.h"
-namespace file_analysis {
+namespace zeek::file_analysis::detail {
 /**
 * An analyzer to extract content of files to local disk.
 */
-class Extract : public file_analysis::Analyzer {
+class Extract : public zeek::file_analysis::Analyzer {
 public:
 	/**
@ -47,8 +47,8 @@ public:
 	 * @return the new Extract analyzer instance or a null pointer if the
 	 *         the "extraction_file" field of \a args wasn't set.
 	 */
-	static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
+	static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
-	                                            File* file);
+	                                                  zeek::file_analysis::File* file);
 	/**
 	 * Sets the maximum allowed extracted file size.  A value of zero means
@ -67,7 +67,7 @@ protected:
 	 *        to which the contents of the file will be extracted/written.
 	 * @param arg_limit the maximum allowed file size.
 	 */
-	Extract(zeek::RecordValPtr args, File* file,
+	Extract(zeek::RecordValPtr args, zeek::file_analysis::File* file,
 	        const std::string& arg_filename, uint64_t arg_limit);
 private:
@ -77,4 +77,10 @@ private:
 	uint64_t depth;
 };
 } // namespace zeek::file_analysis::detail
 namespace file_analysis {
 	using Extract [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::Extract.")]] = zeek::file_analysis::detail::Extract;
 } // namespace file_analysis
--- a/src/file_analysis/analyzer/extract/Plugin.cc
+++ b/src/file_analysis/analyzer/extract/Plugin.cc
@ -4,14 +4,13 @@
 #include "plugin/Plugin.h"
 #include "file_analysis/Component.h"
-namespace plugin {
+namespace zeek::plugin::detail::Zeek_FileExtract {
 namespace Zeek_FileExtract {
 class Plugin : public zeek::plugin::Plugin {
 public:
 	zeek::plugin::Configuration Configure() override
 		{
-		AddComponent(new ::file_analysis::Component("EXTRACT", ::file_analysis::Extract::Instantiate));
+		AddComponent(new zeek::file_analysis::Component("EXTRACT", zeek::file_analysis::detail::Extract::Instantiate));
 		zeek::plugin::Configuration config;
 		config.name = "Zeek::FileExtract";
@ -20,5 +19,4 @@ public:
 		}
 } plugin;
-}
+} // namespace zeek::plugin::detail::Zeek_FileExtract
 }
--- a/src/file_analysis/analyzer/extract/functions.bif
+++ b/src/file_analysis/analyzer/extract/functions.bif
@ -12,7 +12,7 @@ function FileExtract::__set_limit%(file_id: string, args: any, n: count%): bool
 	%{
 	using zeek::BifType::Record::Files::AnalyzerArgs;
 	auto rv = args->AsRecordVal()->CoerceTo(AnalyzerArgs);
-	bool result = file_mgr->SetExtractionLimit(file_id->CheckString(),
+	bool result = zeek::file_mgr->SetExtractionLimit(file_id->CheckString(),
 	                                                 std::move(rv), n);
 	return zeek::val_mgr->Bool(result);
 	%}
--- a/src/file_analysis/analyzer/hash/Hash.cc
+++ b/src/file_analysis/analyzer/hash/Hash.cc
@ -7,10 +7,11 @@
 #include "Event.h"
 #include "file_analysis/Manager.h"
-using namespace file_analysis;
+namespace zeek::file_analysis::detail {
-Hash::Hash(zeek::RecordValPtr args, File* file, zeek::HashVal* hv, const char* arg_kind)
+Hash::Hash(zeek::RecordValPtr args, zeek::file_analysis::File* file,
-	: file_analysis::Analyzer(file_mgr->GetComponentTag(to_upper(arg_kind).c_str()),
+           zeek::HashVal* hv, const char* arg_kind)
 	: zeek::file_analysis::Analyzer(zeek::file_mgr->GetComponentTag(to_upper(arg_kind).c_str()),
 	                                std::move(args), file),
 	  hash(hv), fed(false), kind(arg_kind)
 	{
@ -59,3 +60,5 @@ void Hash::Finalize()
 	                        hash->Get()
 	);
 	}
 } // namespace zeek::file_analysis::detail
--- a/src/file_analysis/analyzer/hash/Hash.h
+++ b/src/file_analysis/analyzer/hash/Hash.h
@ -11,12 +11,12 @@
 #include "events.bif.h"
-namespace file_analysis {
+namespace zeek::file_analysis::detail {
 /**
 * An analyzer to produce a hash of file contents.
 */
-class Hash : public file_analysis::Analyzer {
+class Hash : public zeek::file_analysis::Analyzer {
 public:
 	/**
@ -56,7 +56,7 @@ protected:
 	 * @param hv specific hash calculator object.
 	 * @param kind human readable name of the hash algorithm to use.
 	 */
-	Hash(zeek::RecordValPtr args, File* file, zeek::HashVal* hv, const char* kind);
+	Hash(zeek::RecordValPtr args, zeek::file_analysis::File* file, zeek::HashVal* hv, const char* kind);
 	/**
 	 * If some file contents have been seen, finalizes the hash of them and
@ -83,8 +83,8 @@ public:
 	 * @return the new MD5 analyzer instance or a null pointer if there's no
 	 *         handler for the "file_hash" event.
 	 */
-	static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
+	static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
-	                                            File* file)
+	                                                  zeek::file_analysis::File* file)
 		{ return file_hash ? new MD5(std::move(args), file) : nullptr; }
 protected:
@ -94,7 +94,7 @@ protected:
 	 * @param args the \c AnalyzerArgs value which represents the analyzer.
 	 * @param file the file to which the analyzer will be attached.
 	 */
-	MD5(zeek::RecordValPtr args, File* file)
+	MD5(zeek::RecordValPtr args, zeek::file_analysis::File* file)
 		: Hash(std::move(args), file, new zeek::MD5Val(), "md5")
 		{}
 };
@ -112,8 +112,8 @@ public:
 	 * @return the new MD5 analyzer instance or a null pointer if there's no
 	 *         handler for the "file_hash" event.
 	 */
-	static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
+	static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
-	                                            File* file)
+	                                                  zeek::file_analysis::File* file)
 		{ return file_hash ? new SHA1(std::move(args), file) : nullptr; }
 protected:
@ -123,7 +123,7 @@ protected:
 	 * @param args the \c AnalyzerArgs value which represents the analyzer.
 	 * @param file the file to which the analyzer will be attached.
 	 */
-	SHA1(zeek::RecordValPtr args, File* file)
+	SHA1(zeek::RecordValPtr args, zeek::file_analysis::File* file)
 		: Hash(std::move(args), file, new zeek::SHA1Val(), "sha1")
 		{}
 };
@ -141,8 +141,8 @@ public:
 	 * @return the new MD5 analyzer instance or a null pointer if there's no
 	 *         handler for the "file_hash" event.
 	 */
-	static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
+	static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
-	                                            File* file)
+	                                                  zeek::file_analysis::File* file)
 		{ return file_hash ? new SHA256(std::move(args), file) : nullptr; }
 protected:
@ -152,9 +152,18 @@ protected:
 	 * @param args the \c AnalyzerArgs value which represents the analyzer.
 	 * @param file the file to which the analyzer will be attached.
 	 */
-	SHA256(zeek::RecordValPtr args, File* file)
+	SHA256(zeek::RecordValPtr args, zeek::file_analysis::File* file)
 		: Hash(std::move(args), file, new zeek::SHA256Val(), "sha256")
 		{}
 };
 } // namespace zeek::file_analysis
 namespace file_analysis {
 	using Hash [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::Hash.")]] = zeek::file_analysis::detail::Hash;
 	using MD5 [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::MD5.")]] = zeek::file_analysis::detail::MD5;
 	using SHA1 [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::SHA1.")]] = zeek::file_analysis::detail::SHA1;
 	using SHA256 [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::SHA256.")]] = zeek::file_analysis::detail::SHA256;
 } // namespace file_analysis
--- a/src/file_analysis/analyzer/hash/Plugin.cc
+++ b/src/file_analysis/analyzer/hash/Plugin.cc
@ -4,16 +4,15 @@
 #include "plugin/Plugin.h"
 #include "file_analysis/Component.h"
-namespace plugin {
+namespace zeek::plugin::detail::Zeek_FileHash {
 namespace Zeek_FileHash {
 class Plugin : public zeek::plugin::Plugin {
 public:
 	zeek::plugin::Configuration Configure() override
 		{
-		AddComponent(new ::file_analysis::Component("MD5", ::file_analysis::MD5::Instantiate));
+		AddComponent(new zeek::file_analysis::Component("MD5", zeek::file_analysis::detail::MD5::Instantiate));
-		AddComponent(new ::file_analysis::Component("SHA1", ::file_analysis::SHA1::Instantiate));
+		AddComponent(new zeek::file_analysis::Component("SHA1", zeek::file_analysis::detail::SHA1::Instantiate));
-		AddComponent(new ::file_analysis::Component("SHA256", ::file_analysis::SHA256::Instantiate));
+		AddComponent(new zeek::file_analysis::Component("SHA256", zeek::file_analysis::detail::SHA256::Instantiate));
 		zeek::plugin::Configuration config;
 		config.name = "Zeek::FileHash";
@ -22,5 +21,4 @@ public:
 		}
 } plugin;
-}
+} // namespace zeek::plugin::detail::Zeek_FileHash
 }
--- a/src/file_analysis/analyzer/pe/PE.cc
+++ b/src/file_analysis/analyzer/pe/PE.cc
@ -1,10 +1,11 @@
 #include "PE.h"
 #include "file_analysis/Manager.h"
-using namespace file_analysis;
+namespace zeek::file_analysis::detail {
-PE::PE(zeek::RecordValPtr args, File* file)
+PE::PE(zeek::RecordValPtr args, zeek::file_analysis::File* file)
-    : file_analysis::Analyzer(file_mgr->GetComponentTag("PE"), std::move(args),
+	: zeek::file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("PE"),
 	                                std::move(args),
 	                                file)
 	{
 	conn = new binpac::PE::MockConnection(this);
@ -39,3 +40,5 @@ bool PE::EndOfFile()
 	{
 	return false;
 	}
 } // namespace zeek::file_analysis::detail
--- a/src/file_analysis/analyzer/pe/PE.h
+++ b/src/file_analysis/analyzer/pe/PE.h
@ -6,17 +6,17 @@
 #include "../File.h"
 #include "pe_pac.h"
-namespace file_analysis {
+namespace zeek::file_analysis::detail {
 /**
 * Analyze Portable Executable files
 */
-class PE : public file_analysis::Analyzer {
+class PE : public zeek::file_analysis::Analyzer {
 public:
 	~PE();
-	static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
+	static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
-	                                            File* file)
+	                                                  zeek::file_analysis::File* file)
 		{ return new PE(std::move(args), file); }
 	virtual bool DeliverStream(const u_char* data, uint64_t len);
@ -24,10 +24,16 @@ public:
 	virtual bool EndOfFile();
 protected:
-	PE(zeek::RecordValPtr args, File* file);
+	PE(zeek::RecordValPtr args, zeek::file_analysis::File* file);
 	binpac::PE::File* interp;
 	binpac::PE::MockConnection* conn;
 	bool done;
 };
 } // namespace zeek::file_analysis::detail
 namespace file_analysis {
 	using PE [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::PE.")]] = zeek::file_analysis::detail::PE;
 } // namespace file_analysis
--- a/src/file_analysis/analyzer/pe/Plugin.cc
+++ b/src/file_analysis/analyzer/pe/Plugin.cc
@ -4,14 +4,13 @@
 #include "plugin/Plugin.h"
 #include "file_analysis/Component.h"
-namespace plugin {
+namespace zeek::plugin::detail::Zeek_PE {
 namespace Zeek_PE {
 class Plugin : public zeek::plugin::Plugin {
 public:
 	zeek::plugin::Configuration Configure() override
 		{
-		AddComponent(new ::file_analysis::Component("PE", ::file_analysis::PE::Instantiate));
+		AddComponent(new zeek::file_analysis::Component("PE", zeek::file_analysis::detail::PE::Instantiate));
 		zeek::plugin::Configuration config;
 		config.name = "Zeek::PE";
@ -20,5 +19,4 @@ public:
 		}
 } plugin;
-}
+} // namespace zeek::plugin::detail::Zeek_PE
 }
--- a/src/file_analysis/analyzer/unified2/Plugin.cc
+++ b/src/file_analysis/analyzer/unified2/Plugin.cc
@ -6,14 +6,13 @@
 #include "plugin/Plugin.h"
 #include "file_analysis/Component.h"
-namespace plugin {
+namespace zeek::plugin::detail::Zeek_Unified2 {
 namespace Zeek_Unified2 {
 class Plugin : public zeek::plugin::Plugin {
 public:
 	zeek::plugin::Configuration Configure() override
 		{
-		AddComponent(new ::file_analysis::Component("UNIFIED2", ::file_analysis::Unified2::Instantiate));
+		AddComponent(new zeek::file_analysis::Component("UNIFIED2", zeek::file_analysis::detail::Unified2::Instantiate));
 		zeek::plugin::Configuration config;
 		config.name = "Zeek::Unified2";
@ -22,5 +21,4 @@ public:
 		}
 } plugin;
-}
+} // namespace zeek::plugin::detail::Zeek_Unified2
 }
--- a/src/file_analysis/analyzer/unified2/Unified2.cc
+++ b/src/file_analysis/analyzer/unified2/Unified2.cc
@ -3,10 +3,11 @@
 #include "Unified2.h"
 #include "file_analysis/Manager.h"
-using namespace file_analysis;
+namespace zeek::file_analysis::detail {
-Unified2::Unified2(zeek::RecordValPtr args, File* file)
+Unified2::Unified2(zeek::RecordValPtr args, zeek::file_analysis::File* file)
-    : file_analysis::Analyzer(file_mgr->GetComponentTag("UNIFIED2"), std::move(args), file)
+    : file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("UNIFIED2"),
                              std::move(args), file)
 	{
 	interp = new binpac::Unified2::Unified2_Analyzer(this);
 	}
@ -16,7 +17,8 @@ Unified2::~Unified2()
 	delete interp;
 	}
-file_analysis::Analyzer* Unified2::Instantiate(zeek::RecordValPtr args, File* file)
+zeek::file_analysis::Analyzer* Unified2::Instantiate(zeek::RecordValPtr args,
                                                     zeek::file_analysis::File* file)
 	{
 	return new Unified2(std::move(args), file);
 	}
@ -35,3 +37,5 @@ bool Unified2::DeliverStream(const u_char* data, uint64_t len)
 	return true;
 	}
 } // namespace zeek::file_analysis::detail
--- a/src/file_analysis/analyzer/unified2/Unified2.h
+++ b/src/file_analysis/analyzer/unified2/Unified2.h
@ -9,21 +9,22 @@
 #include "Analyzer.h"
 #include "unified2_pac.h"
-namespace file_analysis {
+namespace zeek::file_analysis::detail {
 /**
 * An analyzer to extract content of files from local disk.
 */
-class Unified2 : public file_analysis::Analyzer {
+class Unified2 : public zeek::file_analysis::Analyzer {
 public:
 	~Unified2() override;
 	bool DeliverStream(const u_char* data, uint64_t len) override;
-	static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, File* file);
+	static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
 	                                                  zeek::file_analysis::File* file);
 protected:
-	Unified2(zeek::RecordValPtr args, File* file);
+	Unified2(zeek::RecordValPtr args, zeek::file_analysis::File* file);
 private:
 	binpac::Unified2::Unified2_Analyzer* interp;
@ -31,4 +32,10 @@ private:
 	string filename;
 };
 } // namespace zeek::file_analysis::detail
 namespace file_analysis {
 	using Unified2 [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::Unified2.")]] = zeek::file_analysis::detail::Unified2;
 } // namespace file_analysis
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@ -29,7 +29,7 @@ X509* helper_sk_X509_value(const STACK_OF(X509)* certs, int i)
 	return sk_X509_value(certs, i);
 	}
-using namespace file_analysis;
+namespace zeek::file_analysis::detail {
 #define OCSP_STRING_BUF_SIZE 2048
@ -113,38 +113,40 @@ static bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, zeek::Args* vl, BIO* bi
 	return true;
 	}
-file_analysis::Analyzer* OCSP::InstantiateRequest(zeek::RecordValPtr args, File* file)
+zeek::file_analysis::Analyzer* OCSP::InstantiateRequest(zeek::RecordValPtr args,
                                                        zeek::file_analysis::File* file)
 	{
 	return new OCSP(std::move(args), file, true);
 	}
-file_analysis::Analyzer* OCSP::InstantiateReply(zeek::RecordValPtr args, File* file)
+zeek::file_analysis::Analyzer* OCSP::InstantiateReply(zeek::RecordValPtr args,
                                                      zeek::file_analysis::File* file)
 	{
 	return new OCSP(std::move(args), file, false);
 	}
-file_analysis::OCSP::OCSP(zeek::RecordValPtr args, file_analysis::File* file,
+OCSP::OCSP(zeek::RecordValPtr args, zeek::file_analysis::File* file,
                          bool arg_request)
-	: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("OCSP"),
+	: X509Common::X509Common(zeek::file_mgr->GetComponentTag("OCSP"),
 	                         std::move(args), file),
 	  request(arg_request)
 	{
 	}
-bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64_t len)
+bool OCSP::DeliverStream(const u_char* data, uint64_t len)
 	{
 	ocsp_data.append(reinterpret_cast<const char*>(data), len);
 	return true;
 	}
-bool file_analysis::OCSP::Undelivered(uint64_t offset, uint64_t len)
+bool OCSP::Undelivered(uint64_t offset, uint64_t len)
 	{
 	return false;
 	}
 // we parse the entire OCSP response in EOF, because we just pass it on
 // to OpenSSL.
-bool file_analysis::OCSP::EndOfFile()
+bool OCSP::EndOfFile()
 	{
 	const unsigned char* ocsp_char = reinterpret_cast<const unsigned char*>(ocsp_data.data());
@ -399,7 +401,7 @@ static uint64_t parse_request_version(OCSP_REQUEST* req)
 	}
 #endif
-void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
+void OCSP::ParseRequest(OCSP_REQUEST* req)
 	{
 	char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions
 	memset(buf, 0, sizeof(buf));
@ -441,7 +443,7 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
 	BIO_free(bio);
 }
-void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
+void OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	{
 	//OCSP_RESPBYTES  *resp_bytes = resp->responseBytes;
 	OCSP_BASICRESP  *basic_resp = nullptr;
@ -636,7 +638,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 			::X509 *this_cert = X509_dup(helper_sk_X509_value(certs, i));
 			//::X509 *this_cert = X509_dup(sk_X509_value(certs, i));
 			if (this_cert)
-				certs_vector->Assign(i, zeek::make_intrusive<file_analysis::X509Val>(this_cert));
+				certs_vector->Assign(i, zeek::make_intrusive<X509Val>(this_cert));
 			else
 				zeek::reporter->Weird("OpenSSL returned null certificate");
 			}
@ -662,7 +664,7 @@ clean_up:
 	BIO_free(bio);
 }
-void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
+void OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
 	{
 	// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_cert_scts.
 	// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
@ -674,3 +676,5 @@ void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa
 #endif
 		ParseSignedCertificateTimestamps(ex);
 	}
 } // namespace zeek::file_analysis::detail
--- a/src/file_analysis/analyzer/x509/OCSP.h
+++ b/src/file_analysis/analyzer/x509/OCSP.h
@ -3,28 +3,27 @@
 #pragma once
 #include <string>
 #include <openssl/ocsp.h>
 #include "X509Common.h"
-#include <openssl/ocsp.h>
+ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
-namespace file_analysis {
+namespace zeek::file_analysis::detail {
-class File;
+class OCSP : public zeek::file_analysis::detail::X509Common {
 class OCSP : public file_analysis::X509Common {
 public:
 	bool DeliverStream(const u_char* data, uint64_t len) override;
 	bool Undelivered(uint64_t offset, uint64_t len) override;
 	bool EndOfFile() override;
-	static file_analysis::Analyzer* InstantiateRequest(zeek::RecordValPtr args,
+	static zeek::file_analysis::Analyzer* InstantiateRequest(zeek::RecordValPtr args,
-	                                                   File* file);
+	                                                         zeek::file_analysis::File* file);
-	static file_analysis::Analyzer* InstantiateReply(zeek::RecordValPtr args,
+	static zeek::file_analysis::Analyzer* InstantiateReply(zeek::RecordValPtr args,
-	                                                 File* file);
+	                                                       zeek::file_analysis::File* file);
 protected:
-	OCSP(zeek::RecordValPtr args, File* file, bool request);
+	OCSP(zeek::RecordValPtr args, zeek::file_analysis::File* file, bool request);
 private:
 	void ParseResponse(OCSP_RESPONSE*);
@ -35,4 +34,10 @@ private:
 	bool request = false; // true if ocsp request, false if reply
 };
-}
+} // namespace zeek::file_analysis::detail
 namespace file_analysis {
 	using OCSP [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::OCSP.")]] = zeek::file_analysis::detail::OCSP;
 } // namespace file_analysis
--- a/src/file_analysis/analyzer/x509/Plugin.cc
+++ b/src/file_analysis/analyzer/x509/Plugin.cc
@ -5,16 +5,15 @@
 #include "plugin/Plugin.h"
 #include "file_analysis/Component.h"
-namespace plugin {
+namespace zeek::plugin::detail::Zeek_X509 {
 namespace Zeek_X509 {
 class Plugin : public zeek::plugin::Plugin {
 public:
 	zeek::plugin::Configuration Configure() override
 		{
-		AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate));
+		AddComponent(new zeek::file_analysis::Component("X509", zeek::file_analysis::detail::X509::Instantiate));
-		AddComponent(new ::file_analysis::Component("OCSP_REQUEST", ::file_analysis::OCSP::InstantiateRequest));
+		AddComponent(new zeek::file_analysis::Component("OCSP_REQUEST", zeek::file_analysis::detail::OCSP::InstantiateRequest));
-		AddComponent(new ::file_analysis::Component("OCSP_REPLY", ::file_analysis::OCSP::InstantiateReply));
+		AddComponent(new zeek::file_analysis::Component("OCSP_REPLY", zeek::file_analysis::detail::OCSP::InstantiateReply));
 		zeek::plugin::Configuration config;
 		config.name = "Zeek::X509";
@ -25,9 +24,8 @@ public:
 	void Done() override
 		{
 		zeek::plugin::Plugin::Done();
-		::file_analysis::X509::FreeRootStore();
+		zeek::file_analysis::detail::X509::FreeRootStore();
 		}
 } plugin;
-}
+} // namespace zeek::plugin::detail::Zeek_X509
 }
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@ -21,28 +21,28 @@
 #include <openssl/opensslconf.h>
 #include <openssl/err.h>
-using namespace file_analysis;
+namespace zeek::file_analysis::detail {
-file_analysis::X509::X509(zeek::RecordValPtr args, file_analysis::File* file)
+X509::X509(zeek::RecordValPtr args, zeek::file_analysis::File* file)
-	: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("X509"),
+	: X509Common::X509Common(zeek::file_mgr->GetComponentTag("X509"),
 	                         std::move(args), file)
 	{
 	cert_data.clear();
 	}
-bool file_analysis::X509::DeliverStream(const u_char* data, uint64_t len)
+bool X509::DeliverStream(const u_char* data, uint64_t len)
 	{
 	// just add it to the data we have so far, since we cannot do anything else anyways...
 	cert_data.append(reinterpret_cast<const char*>(data), len);
 	return true;
 	}
-bool file_analysis::X509::Undelivered(uint64_t offset, uint64_t len)
+bool X509::Undelivered(uint64_t offset, uint64_t len)
 	{
 	return false;
 	}
-bool file_analysis::X509::EndOfFile()
+bool X509::EndOfFile()
 	{
 	const unsigned char* cert_char = reinterpret_cast<const unsigned char*>(cert_data.data());
 	if ( certificate_cache )
@ -113,7 +113,8 @@ bool file_analysis::X509::EndOfFile()
 	return false;
 	}
-zeek::RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
+zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val,
                                          zeek::file_analysis::File* f)
 	{
 	::X509* ssl_cert = cert_val->GetCertificate();
@ -240,7 +241,7 @@ zeek::RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File
 	return pX509Cert;
 	}
-X509_STORE* file_analysis::X509::GetRootStore(zeek::TableVal* root_certs)
+X509_STORE* X509::GetRootStore(zeek::TableVal* root_certs)
 	{
 	// If this certificate store was built previously, just reuse the old one.
 	if ( x509_stores.count(root_certs) > 0 )
@ -274,13 +275,13 @@ X509_STORE* file_analysis::X509::GetRootStore(zeek::TableVal* root_certs)
 	return ctx;
 	}
-void file_analysis::X509::FreeRootStore()
+void X509::FreeRootStore()
 	{
 	for ( const auto& e : x509_stores )
 		X509_STORE_free(e.second);
 	}
-void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
+void X509::ParseBasicConstraints(X509_EXTENSION* ex)
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints);
@ -309,7 +310,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 		zeek::reporter->Weird(GetFile(), "x509_invalid_basic_constraint");
 	}
-void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
+void X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
 	{
 	// look if we have a specialized handler for this event...
 	if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints )
@ -329,7 +330,7 @@ void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa
 		ParseSignedCertificateTimestamps(ex);
 	}
-void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
+void X509::ParseSAN(X509_EXTENSION* ext)
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_subject_alt_name);
@ -443,7 +444,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 	GENERAL_NAMES_free(altname);
 	}
-zeek::StringValPtr file_analysis::X509::KeyCurve(EVP_PKEY* key)
+zeek::StringValPtr X509::KeyCurve(EVP_PKEY* key)
 	{
 	assert(key != nullptr);
@ -476,7 +477,7 @@ zeek::StringValPtr file_analysis::X509::KeyCurve(EVP_PKEY* key)
 #endif
 	}
-unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key)
+unsigned int X509::KeyLength(EVP_PKEY *key)
 	{
 	assert(key != NULL);
@ -583,3 +584,5 @@ bool X509Val::DoUnserialize(const broker::data& data)
 	certificate = d2i_X509(NULL, &opensslbuf, s->size());
 	return (certificate != nullptr);
 	}
 } // namespace zeek::file_analysis::detail
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@ -63,11 +63,11 @@ static void RSA_get0_key(const RSA *r,
 #endif
-namespace file_analysis {
+namespace zeek::file_analysis::detail {
 class X509Val;
-class X509 : public file_analysis::X509Common {
+class X509 : public zeek::file_analysis::detail::X509Common {
 public:
 	bool DeliverStream(const u_char* data, uint64_t len) override;
 	bool Undelivered(uint64_t offset, uint64_t len) override;
@ -86,10 +86,10 @@ public:
 	 * @param Returns the new record value and passes ownership to
 	 * caller.
 	 */
-	static zeek::RecordValPtr ParseCertificate(X509Val* cert_val, File* file = nullptr);
+	static zeek::RecordValPtr ParseCertificate(X509Val* cert_val, zeek::file_analysis::File* file = nullptr);
-	static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
+	static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
-	                                            File* file)
+	                                                  zeek::file_analysis::File* file)
 		{ return new X509(std::move(args), file); }
 	/**
@ -127,7 +127,7 @@ public:
 		{ cache_hit_callback = std::move(func); }
 protected:
-	X509(zeek::RecordValPtr args, File* file);
+	X509(zeek::RecordValPtr args, zeek::file_analysis::File* file);
 private:
 	void ParseBasicConstraints(X509_EXTENSION* ex);
@ -196,4 +196,11 @@ private:
 	::X509* certificate; // the wrapped certificate
 };
-}
+} // namespace zeek::file_analysis::detail
 namespace file_analysis {
 	using X509 [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::X509.")]] = zeek::file_analysis::detail::X509;
 	using X509Val [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::X509Val.")]] = zeek::file_analysis::detail::X509Val;
 } // namespace file_analysis
--- a/src/file_analysis/analyzer/x509/X509Common.cc
+++ b/src/file_analysis/analyzer/x509/X509Common.cc
@ -14,15 +14,16 @@
 #include <openssl/opensslconf.h>
 #include <openssl/err.h>
-using namespace file_analysis;
+namespace zeek::file_analysis::detail {
-X509Common::X509Common(const file_analysis::Tag& arg_tag,
+X509Common::X509Common(const zeek::file_analysis::Tag& arg_tag,
-                       zeek::RecordValPtr arg_args, File* arg_file)
+                       zeek::RecordValPtr arg_args,
-	: file_analysis::Analyzer(arg_tag, std::move(arg_args), arg_file)
+                       zeek::file_analysis::File* arg_file)
 	: zeek::file_analysis::Analyzer(arg_tag, std::move(arg_args), arg_file)
 	{
 	}
-static void EmitWeird(const char* name, File* file, const char* addl = "")
+static void EmitWeird(const char* name, zeek::file_analysis::File* file, const char* addl = "")
 	{
 	if ( file )
 		zeek::reporter->Weird(file, name, addl);
@ -30,7 +31,7 @@ static void EmitWeird(const char* name, File* file, const char* addl = "")
 		zeek::reporter->Weird(name);
 	}
-double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, File* f, zeek::Reporter* reporter)
+double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, zeek::file_analysis::File* f, zeek::Reporter* reporter)
 	{
 	time_t lResult = 0;
@ -187,7 +188,7 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, File* f, zeek::Report
 	return lResult;
 }
-void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext)
+void X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext)
 	{
 	// Ok, signed certificate timestamps are a bit of an odd case out; we don't
 	// want to use the (basically nonexistant) OpenSSL functionality to parse them.
@ -231,7 +232,7 @@ void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION*
 	delete conn;
 	}
-void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& h, bool global)
+void X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& h, bool global)
 	{
 	char name[256];
 	char oid[256];
@ -298,7 +299,7 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::E
 	ParseExtensionsSpecific(ex, global, ext_asn, oid);
 	}
-zeek::StringValPtr file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
+zeek::StringValPtr X509Common::GetExtensionFromBIO(BIO* bio, zeek::file_analysis::File* f)
 	{
 	BIO_flush(bio);
 	ERR_clear_error();
@ -338,3 +339,5 @@ zeek::StringValPtr file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File
 	return ext_val;
 	}
 } // namespace zeek::file_analysis::detail
--- a/src/file_analysis/analyzer/x509/X509Common.h
+++ b/src/file_analysis/analyzer/x509/X509Common.h
@ -13,18 +13,17 @@
 ZEEK_FORWARD_DECLARE_NAMESPACED(EventHandlerPtr, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Reporter, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(StringVal, zeek);
 ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
 ZEEK_FORWARD_DECLARE_NAMESPACED(Tag, zeek, file_analysis);
 namespace zeek {
 template <class T> class IntrusivePtr;
 using StringValPtr = zeek::IntrusivePtr<StringVal>;
 }
-namespace file_analysis {
+namespace zeek::file_analysis::detail {
-class Tag;
+class X509Common : public zeek::file_analysis::Analyzer {
 class File;
 class X509Common : public file_analysis::Analyzer {
 public:
 	~X509Common() override {};
@ -39,17 +38,25 @@ public:
 	 *
 	 * @return The X509 extension value.
 	 */
-	static zeek::StringValPtr GetExtensionFromBIO(BIO* bio, File* f = nullptr);
+	static zeek::StringValPtr GetExtensionFromBIO(BIO* bio, zeek::file_analysis::File* f = nullptr);
-	static double GetTimeFromAsn1(const ASN1_TIME* atime, File* f, zeek::Reporter* reporter);
+	static double GetTimeFromAsn1(const ASN1_TIME* atime, zeek::file_analysis::File* f,
 	                              zeek::Reporter* reporter);
 protected:
-	X509Common(const file_analysis::Tag& arg_tag,
+	X509Common(const zeek::file_analysis::Tag& arg_tag,
-	           zeek::RecordValPtr arg_args, File* arg_file);
+	           zeek::RecordValPtr arg_args,
 	           zeek::file_analysis::File* arg_file);
 	void ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& h, bool global);
 	void ParseSignedCertificateTimestamps(X509_EXTENSION* ext);
 	virtual void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) = 0;
 };
-}
+} // namespace zeek:file_analysis
 namespace file_analysis {
 	using X509Common [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::X509Common.")]] = zeek::file_analysis::detail::X509Common;
 } // namespace file_analysis
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@ -42,7 +42,7 @@ STACK_OF(X509)* x509_get_untrusted_stack(zeek::VectorVal* certs_vec)
 			continue;
 		// Fixme: check type
-		X509* x = ((file_analysis::X509Val*) sv.get())->GetCertificate();
+		X509* x = ((zeek::file_analysis::detail::X509Val*) sv.get())->GetCertificate();
 		if ( ! x )
 			{
 			sk_X509_free(untrusted_certs);
@ -147,9 +147,9 @@ const EVP_MD* hash_to_evp(int hash)
 function x509_parse%(cert: opaque of x509%): X509::Certificate
 	%{
 	assert(cert);
-	file_analysis::X509Val* h = (file_analysis::X509Val*) cert;
+	auto* h = (zeek::file_analysis::detail::X509Val*) cert;
-	return file_analysis::X509::ParseCertificate(h);
+	return zeek::file_analysis::detail::X509::ParseCertificate(h);
 	%}
 ## Constructs an opaque of X509 from a der-formatted string.
@ -162,7 +162,7 @@ function x509_parse%(cert: opaque of x509%): X509::Certificate
 function x509_from_der%(der: string%): opaque of x509
    %{
    const u_char* data = der->Bytes();
-    return zeek::make_intrusive<file_analysis::X509Val>(d2i_X509(nullptr, &data, der->Len()));
+    return zeek::make_intrusive<zeek::file_analysis::detail::X509Val>(d2i_X509(nullptr, &data, der->Len()));
    %}
 ## Returns the string form of a certificate.
@ -180,7 +180,7 @@ function x509_from_der%(der: string%): opaque of x509
 function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F%): string
 	%{
 	assert(cert);
-	file_analysis::X509Val* h = (file_analysis::X509Val*) cert;
+	auto* h = (zeek::file_analysis::detail::X509Val*) cert;
 	BIO *bio = BIO_new(BIO_s_mem());
@ -190,7 +190,7 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 	else
 		i2d_X509_bio(bio, h->GetCertificate());
-	auto ext_val = file_analysis::X509::GetExtensionFromBIO(bio);
+	auto ext_val = zeek::file_analysis::detail::X509::GetExtensionFromBIO(bio);
 	if ( ! ext_val )
 		ext_val = zeek::val_mgr->EmptyString();
@ -217,7 +217,7 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
 	%{
 	zeek::RecordValPtr rval;
-	X509_STORE* ctx = ::file_analysis::X509::GetRootStore(root_certs->AsTableVal());
+	X509_STORE* ctx = zeek::file_analysis::detail::X509::GetRootStore(root_certs->AsTableVal());
 	if ( ! ctx )
 		return x509_result_record(-1, "Problem initializing root store");
@ -238,7 +238,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 		return x509_result_record(-1, "undefined value in certificate vector");
 		}
-	file_analysis::X509Val* cert_handle = (file_analysis::X509Val*) sv.get();
+	auto* cert_handle = (zeek::file_analysis::detail::X509Val*) sv.get();
 	X509* cert = cert_handle->GetCertificate();
 	if ( ! cert )
@ -503,7 +503,7 @@ x509_ocsp_cleanup:
 ##              x509_get_certificate_string x509_ocsp_verify sct_verify
 function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
 	%{
-	X509_STORE* ctx = ::file_analysis::X509::GetRootStore(root_certs->AsTableVal());
+	X509_STORE* ctx = zeek::file_analysis::detail::X509::GetRootStore(root_certs->AsTableVal());
 	if ( ! ctx )
 		return x509_result_record(-1, "Problem initializing root store");
@ -523,7 +523,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 		zeek::emit_builtin_error("undefined value in certificate vector");
 		return x509_result_record(-1, "undefined value in certificate vector");
 		}
-	file_analysis::X509Val* cert_handle = (file_analysis::X509Val*) sv.get();
+	auto* cert_handle = (zeek::file_analysis::detail::X509Val*) sv.get();
 	X509* cert = cert_handle->GetCertificate();
 	if ( ! cert )
@ -565,7 +565,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 			if ( currcert )
 				// X509Val takes ownership of currcert.
-				chainVector->Assign(i, zeek::make_intrusive<file_analysis::X509Val>(currcert));
+				chainVector->Assign(i, zeek::make_intrusive<zeek::file_analysis::detail::X509Val>(currcert));
 			else
 				{
 				zeek::reporter->InternalWarning("OpenSSL returned null certificate");
@ -614,8 +614,8 @@ x509_verify_chainerror:
 function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""%): bool
 	%{
 	assert(cert);
-	file_analysis::X509Val* h = (file_analysis::X509Val*) cert;
+	auto* h = (zeek::file_analysis::detail::X509Val*) cert;
-	X509* x = ((file_analysis::X509Val*) h)->GetCertificate();
+	X509* x = ((zeek::file_analysis::detail::X509Val*) h)->GetCertificate();
 	assert(sizeof(timestamp) >= 8);
 	uint64_t timestamp_network = htonll(timestamp);
@ -762,7 +762,7 @@ sct_verify_err:
 * 1 -> issuer name
 * 2 -> pubkey
 */
-zeek::StringValPtr x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int hash_alg, unsigned int type)
+zeek::StringValPtr x509_entity_hash(zeek::file_analysis::detail::X509Val *cert_handle, unsigned int hash_alg, unsigned int type)
 	{
 	assert(cert_handle);
@ -842,7 +842,7 @@ zeek::StringValPtr x509_entity_hash(file_analysis::X509Val *cert_handle, unsigne
 ##              x509_verify sct_verify
 function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string
 	%{
-	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
+	auto* cert_handle = (zeek::file_analysis::detail::X509Val *) cert;
 	return x509_entity_hash(cert_handle, hash_alg, 0);
 	%}
@ -860,7 +860,7 @@ function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string
 ##              x509_verify sct_verify
 function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string
 	%{
-	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
+	auto* cert_handle = (zeek::file_analysis::detail::X509Val *) cert;
 	return x509_entity_hash(cert_handle, hash_alg, 1);
 	%}
@ -878,7 +878,7 @@ function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string
 ##              x509_verify sct_verify
 function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string
 	%{
-	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
+	auto* cert_handle = (zeek::file_analysis::detail::X509Val *) cert;
 	return x509_entity_hash(cert_handle, hash_alg, 2);
 	%}
@ -901,7 +901,7 @@ function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string
 ## .. zeek:see:: x509_set_certificate_cache_hit_callback
 function x509_set_certificate_cache%(tbl: string_any_table%) : bool
 	%{
-	file_analysis::X509::SetCertificateCache({zeek::NewRef{}, tbl->AsTableVal()});
+	zeek::file_analysis::detail::X509::SetCertificateCache({zeek::NewRef{}, tbl->AsTableVal()});
 	return zeek::val_mgr->True();
 	%}
@ -919,7 +919,7 @@ function x509_set_certificate_cache%(tbl: string_any_table%) : bool
 ## .. zeek:see:: x509_set_certificate_cache
 function x509_set_certificate_cache_hit_callback%(f: string_any_file_hook%) : bool
 	%{
-	file_analysis::X509::SetCertificateCacheHitCallback({zeek::NewRef{}, f->AsFunc()});
+	zeek::file_analysis::detail::X509::SetCertificateCacheHitCallback({zeek::NewRef{}, f->AsFunc()});
 	return zeek::val_mgr->True();
 	%}
--- a/src/file_analysis/file_analysis.bif
+++ b/src/file_analysis/file_analysis.bif
@ -13,28 +13,28 @@ type AnalyzerArgs: record;
 ## :zeek:see:`Files::set_timeout_interval`.
 function Files::__set_timeout_interval%(file_id: string, t: interval%): bool
 	%{
-	bool result = file_mgr->SetTimeoutInterval(file_id->CheckString(), t);
+	bool result = zeek::file_mgr->SetTimeoutInterval(file_id->CheckString(), t);
 	return zeek::val_mgr->Bool(result);
 	%}
 ## :zeek:see:`Files::enable_reassembly`.
 function Files::__enable_reassembly%(file_id: string%): bool
 	%{
-	bool result = file_mgr->EnableReassembly(file_id->CheckString());
+	bool result = zeek::file_mgr->EnableReassembly(file_id->CheckString());
 	return zeek::val_mgr->Bool(result);
 	%}
 ## :zeek:see:`Files::disable_reassembly`.
 function Files::__disable_reassembly%(file_id: string%): bool
 	%{
-	bool result = file_mgr->DisableReassembly(file_id->CheckString());
+	bool result = zeek::file_mgr->DisableReassembly(file_id->CheckString());
 	return zeek::val_mgr->Bool(result);
 	%}
 ## :zeek:see:`Files::set_reassembly_buffer_size`.
 function Files::__set_reassembly_buffer%(file_id: string, max: count%): bool
 	%{
-	bool result = file_mgr->SetReassemblyBuffer(file_id->CheckString(), max);
+	bool result = zeek::file_mgr->SetReassemblyBuffer(file_id->CheckString(), max);
 	return zeek::val_mgr->Bool(result);
 	%}
@ -43,8 +43,9 @@ function Files::__add_analyzer%(file_id: string, tag: Files::Tag, args: any%): b
 	%{
 	using zeek::BifType::Record::Files::AnalyzerArgs;
 	auto rv = args->AsRecordVal()->CoerceTo(AnalyzerArgs);
-	bool result = file_mgr->AddAnalyzer(file_id->CheckString(),
+	bool result = zeek::file_mgr->AddAnalyzer(
-	                                    file_mgr->GetComponentTag(tag),
+	     file_id->CheckString(),
 	     zeek::file_mgr->GetComponentTag(tag),
 	     std::move(rv));
 	return zeek::val_mgr->Bool(result);
 	%}
@ -54,8 +55,9 @@ function Files::__remove_analyzer%(file_id: string, tag: Files::Tag, args: any%)
 	%{
 	using zeek::BifType::Record::Files::AnalyzerArgs;
 	auto rv = args->AsRecordVal()->CoerceTo(AnalyzerArgs);
-	bool result = file_mgr->RemoveAnalyzer(file_id->CheckString(),
+	bool result = zeek::file_mgr->RemoveAnalyzer(
-	                                       file_mgr->GetComponentTag(tag),
+		file_id->CheckString(),
 		zeek::file_mgr->GetComponentTag(tag),
 		std::move(rv));
 	return zeek::val_mgr->Bool(result);
 	%}
@ -63,21 +65,21 @@ function Files::__remove_analyzer%(file_id: string, tag: Files::Tag, args: any%)
 ## :zeek:see:`Files::stop`.
 function Files::__stop%(file_id: string%): bool
 	%{
-	bool result = file_mgr->IgnoreFile(file_id->CheckString());
+	bool result = zeek::file_mgr->IgnoreFile(file_id->CheckString());
 	return zeek::val_mgr->Bool(result);
 	%}
 ## :zeek:see:`Files::analyzer_name`.
 function Files::__analyzer_name%(tag: Files::Tag%) : string
 	%{
-	const auto& n = file_mgr->GetComponentName(zeek::IntrusivePtr{zeek::NewRef{}, tag->AsEnumVal()});
+	const auto& n = zeek::file_mgr->GetComponentName(zeek::IntrusivePtr{zeek::NewRef{}, tag->AsEnumVal()});
 	return zeek::make_intrusive<zeek::StringVal>(n);
 	%}
 ## :zeek:see:`Files::file_exists`.
 function Files::__file_exists%(fuid: string%): bool
 	%{
-	if ( file_mgr->LookupFile(fuid->CheckString()) != nullptr )
+	if ( zeek::file_mgr->LookupFile(fuid->CheckString()) != nullptr )
 		return zeek::val_mgr->True();
 	else
 		return zeek::val_mgr->False();
@ -86,7 +88,7 @@ function Files::__file_exists%(fuid: string%): bool
 ## :zeek:see:`Files::lookup_file`.
 function Files::__lookup_file%(fuid: string%): fa_file
 	%{
-	auto f = file_mgr->LookupFile(fuid->CheckString());
+	auto f = zeek::file_mgr->LookupFile(fuid->CheckString());
 	if ( f != nullptr )
 		return f->ToVal();
@ -108,6 +110,6 @@ function set_file_handle%(handle: string%): any
 	%{
 	auto bytes = reinterpret_cast<const char*>(handle->Bytes());
 	auto h = std::string(bytes, handle->Len());
-	file_mgr->SetHandle(h);
+	zeek::file_mgr->SetHandle(h);
 	return nullptr;
 	%}
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@ -783,7 +783,7 @@ bool Manager::CreateAnalysisStream(zeek::RecordVal* fval)
 		return false;
 		}
-	stream->file_id = file_mgr->HashHandle(stream->name);
+	stream->file_id = zeek::file_mgr->HashHandle(stream->name);
 	assert(stream->reader);
@ -1099,7 +1099,7 @@ void Manager::SendEntry(ReaderFrontend* reader, Value* *vals)
 		{
 		readFields = 1;
 		assert(vals[0]->type == zeek::TYPE_STRING);
-		file_mgr->DataIn(reinterpret_cast<u_char*>(vals[0]->val.string_val.data),
+		zeek::file_mgr->DataIn(reinterpret_cast<u_char*>(vals[0]->val.string_val.data),
 		                                      vals[0]->val.string_val.length,
 		                                      static_cast<AnalysisStream*>(i)->file_id, i->name);
 		}
@ -1437,7 +1437,7 @@ void Manager::SendEndOfData(const Stream *i)
 	          new zeek::StringVal(i->reader->Info().source));
 	if ( i->stream_type == ANALYSIS_STREAM )
-		file_mgr->EndOfFile(static_cast<const AnalysisStream*>(i)->file_id);
+		zeek::file_mgr->EndOfFile(static_cast<const AnalysisStream*>(i)->file_id);
 	}
 void Manager::Put(ReaderFrontend* reader, Value* *vals)
@ -1469,7 +1469,7 @@ void Manager::Put(ReaderFrontend* reader, Value* *vals)
 		{
 		readFields = 1;
 		assert(vals[0]->type == zeek::TYPE_STRING);
-		file_mgr->DataIn(reinterpret_cast<u_char*>(vals[0]->val.string_val.data),
+		zeek::file_mgr->DataIn(reinterpret_cast<u_char*>(vals[0]->val.string_val.data),
 		                       vals[0]->val.string_val.length,
 		                       static_cast<AnalysisStream*>(i)->file_id, i->name);
 		}
--- a/src/reporter.bif
+++ b/src/reporter.bif
@ -149,7 +149,7 @@ function Reporter::conn_weird%(name: string, c: connection, addl: string &defaul
 function Reporter::file_weird%(name: string, f: fa_file, addl: string &default=""%): bool
 	%{
 	auto fuid = f->AsRecordVal()->GetField(0)->AsStringVal();
-	auto file = file_mgr->LookupFile(fuid->CheckString());
+	auto file = zeek::file_mgr->LookupFile(fuid->CheckString());
 	if ( ! file )
 		return zeek::val_mgr->False();
--- a/src/stats.bif
+++ b/src/stats.bif
@ -311,9 +311,9 @@ function get_file_analysis_stats%(%): FileAnalysisStats
 	auto r = zeek::make_intrusive<zeek::RecordVal>(FileAnalysisStats);
 	int n = 0;
-	r->Assign(n++, zeek::val_mgr->Count(file_mgr->CurrentFiles()));
+	r->Assign(n++, zeek::val_mgr->Count(zeek::file_mgr->CurrentFiles()));
-	r->Assign(n++, zeek::val_mgr->Count(file_mgr->MaxFiles()));
+	r->Assign(n++, zeek::val_mgr->Count(zeek::file_mgr->MaxFiles()));
-	r->Assign(n++, zeek::val_mgr->Count(file_mgr->CumulativeFiles()));
+	r->Assign(n++, zeek::val_mgr->Count(zeek::file_mgr->CumulativeFiles()));
 	return r;
 	%}
--- a/src/zeek-setup.cc
+++ b/src/zeek-setup.cc
@ -105,7 +105,8 @@ zeek::detail::TimerMgr*& timer_mgr = zeek::detail::timer_mgr;
 logging::Manager* log_mgr = nullptr;
 threading::Manager* thread_mgr = nullptr;
 input::Manager* input_mgr = nullptr;
-file_analysis::Manager* file_mgr = nullptr;
+zeek::file_analysis::Manager* zeek::file_mgr = nullptr;
 zeek::file_analysis::Manager*& file_mgr = zeek::file_mgr;
 zeekygen::Manager* zeekygen_mgr = nullptr;
 iosource::Manager* iosource_mgr = nullptr;
 bro_broker::Manager* broker_mgr = nullptr;
@ -280,7 +281,7 @@ void terminate_bro()
 	// File analysis termination may produce events, so do it early on in
 	// the termination process.
-	file_mgr->Terminate();
+	zeek::file_mgr->Terminate();
 	zeek::detail::script_coverage_mgr.WriteStats();
@ -315,7 +316,7 @@ void terminate_bro()
 	delete zeekygen_mgr;
 	delete zeek::analyzer_mgr;
-	delete file_mgr;
+	delete zeek::file_mgr;
 	// broker_mgr, timer_mgr, and supervisor are deleted via iosource_mgr
 	delete iosource_mgr;
 	delete zeek::event_registry;
@ -581,14 +582,14 @@ zeek::detail::SetupResult zeek::detail::setup(int argc, char** argv,
 	zeek::analyzer_mgr = new analyzer::Manager();
 	log_mgr = new logging::Manager();
 	input_mgr = new input::Manager();
-	file_mgr = new file_analysis::Manager();
+	zeek::file_mgr = new file_analysis::Manager();
 	auto broker_real_time = ! options.pcap_file && ! options.deterministic_mode;
 	broker_mgr = new bro_broker::Manager(broker_real_time);
 	trigger_mgr = new zeek::detail::trigger::Manager();
 	zeek::plugin_mgr->InitPreScript();
 	zeek::analyzer_mgr->InitPreScript();
-	file_mgr->InitPreScript();
+	zeek::file_mgr->InitPreScript();
 	zeekygen_mgr->InitPreScript();
 	bool missing_plugin = false;
@ -674,7 +675,7 @@ zeek::detail::SetupResult zeek::detail::setup(int argc, char** argv,
 		}
 	zeek::analyzer_mgr->InitPostScript();
-	file_mgr->InitPostScript();
+	zeek::file_mgr->InitPostScript();
 	zeek::detail::dns_mgr->InitPostScript();
 	if ( options.parse_only )
@ -729,7 +730,7 @@ zeek::detail::SetupResult zeek::detail::setup(int argc, char** argv,
 		if ( options.print_signature_debug_info )
 			rule_matcher->PrintDebug();
-		file_mgr->InitMagic();
+		zeek::file_mgr->InitMagic();
 		}
 	if ( g_policy_debug )
--- a/src/zeek.bif
+++ b/src/zeek.bif
@ -980,7 +980,7 @@ function identify_data%(data: string, return_mime: bool &default=T%): string
 	if ( ! return_mime )
 		zeek::reporter->Warning("identify_data() builtin-function only returns MIME types, but verbose file info requested");
-	string strongest_match = file_mgr->DetectMIME(data->Bytes(), data->Len());
+	string strongest_match = zeek::file_mgr->DetectMIME(data->Bytes(), data->Len());
 	if ( strongest_match.empty() )
 		return zeek::make_intrusive<zeek::StringVal>("<unknown>");
@ -999,7 +999,7 @@ function identify_data%(data: string, return_mime: bool &default=T%): string
 function file_magic%(data: string%): mime_matches
 	%{
 	zeek::detail::RuleMatcher::MIME_Matches matches;
-	file_mgr->DetectMIME(data->Bytes(), data->Len(), &matches);
+	zeek::file_mgr->DetectMIME(data->Bytes(), data->Len(), &matches);
 	return file_analysis::GenMIMEMatchesVal(matches);
 	%}
--- a/src/zeekygen/Target.cc
+++ b/src/zeekygen/Target.cc
@ -44,9 +44,9 @@ static void write_analyzer_component(FILE* f, const zeek::analyzer::Component* c
 	fprintf(f, ":zeek:enum:`Analyzer::%s`\n\n", tag.c_str());
 	}
-static void write_analyzer_component(FILE* f, const file_analysis::Component* c)
+static void write_analyzer_component(FILE* f, const zeek::file_analysis::Component* c)
 	{
-	const auto& atag = file_mgr->GetTagType();
+	const auto& atag = zeek::file_mgr->GetTagType();
 	string tag = fmt("ANALYZER_%s", c->CanonicalName().c_str());
 	if ( atag->Lookup("Files", tag.c_str()) < 0 )
@ -79,8 +79,8 @@ static void write_plugin_components(FILE* f, const zeek::plugin::Plugin* p)
 		case zeek::plugin::component::FILE_ANALYZER:
 			{
-			const file_analysis::Component* c =
+			const auto* c =
-			        dynamic_cast<const file_analysis::Component*>(component);
+				dynamic_cast<const zeek::file_analysis::Component*>(component);
 			if ( c )
 				write_analyzer_component(f, c);
--- a/zeek-config.h.in
+++ b/zeek-config.h.in
@ -278,8 +278,8 @@ extern const char* BRO_VERSION_FUNCTION();
 // Note: macros for internal use only during deprecation/namespacing process.
 // This uses funny VA_ARGS tricks so that we can overload the name and have multiple macros for
 // varying namespace lengths.
-#define GET_MACRO(_0, _1, _2, _3, NAME, ...) NAME
+#define GET_MACRO(_0, _1, _2, _3, _4, NAME, ...) NAME
-#define ZEEK_FORWARD_DECLARE_NAMESPACED( ... ) GET_MACRO(_0, ##__VA_ARGS__, ZEEK_FDN_3, ZEEK_FDN_2, ZEEK_FDN_1, ZEEK_FDN_0)(__VA_ARGS__)
+#define ZEEK_FORWARD_DECLARE_NAMESPACED( ... ) GET_MACRO(_0, ##__VA_ARGS__, ZEEK_FDN_4, ZEEK_FDN_3, ZEEK_FDN_2, ZEEK_FDN_1, ZEEK_FDN_0)(__VA_ARGS__)
 #define ZEEK_FDN_0()
 #define ZEEK_FDN_1(cls)
 #define ZEEK_FDN_2(cls, ns) \
@ -288,3 +288,6 @@ extern const char* BRO_VERSION_FUNCTION();
 #define ZEEK_FDN_3(cls, ns1, ns2) \
 	namespace ns1::ns2 { class cls; } \
 	namespace ns2 { using cls [[deprecated("Remove in v4.1. Use " #ns1 "::" #ns2 "::" #cls " instead.")]] = ns1::ns2::cls; }
 #define ZEEK_FDN_4(cls, ns1, ns2, ns3) \
 	namespace ns1::ns2::ns3 { class cls; } \
 	namespace ns2 { using cls [[deprecated("Remove in v4.1. Use " #ns1 "::" #ns2 "::" #ns3 "::" #cls " instead.")]] = ns1::ns2::ns3::cls; }