This seems just as effective, but simpler.
Until you examine scope. The variable output goes out of scope when the function ends, so its destructor will be called. But, you returned that object. What exactly did you return? When will that memory get overwritten?
What you were doing before was creating and returning a new object, which is far safer.
Even better, though, is to use a reference variable (the array to store the data in) as input to the getCommand() function, which would then have a void type.
void getCommand(char *&incomingSerialData)
int incomingSerialDataIndex = 0; // Stores the next 'empty space' in the array
while(Serial.available() > 0)
incomingSerialData[incomingSerialDataIndex] = Serial.read();
incomingSerialDataIndex++; // Ensure the next byte is added in the next position
incomingSerialData[incomingSerialDataIndex] = '\0';
// Now, incomingSerialData contains the data, NULL terminated