Suricata

Add a field to EVE records specifying the IP version.

Use case: I wanted to limit a set of eve records down to just IPv4 as there were a lot of IPv6 records in the stream, and there was no field to filter on short of a regular express on the IP addresses.

It actually doesn't seem common for other tools in this space to log this field either. Instead it is often added by post-processing tools based on inspecting the IP addresses.

Possible examples:

"ip_ver": 4

or a key of "ipv, "ip_version", I think this fits our current schema the best.

But I've also seen:

"network_type": "ipv4"