Suricata

For suricata alert-events in eve.json there is a tunnel-node, that contains the outer ip-addresses. It would be great to get this node for flow-, netflow- and dns-events as well. This would make it possible to clearly identify the flow and compare/merge it with results of other tools.