Suricata

For events, like IPv4 decode alerts, src_ip and dest_ip, may be logged as empty strings. Additionally, the ports are logged as 0, but this is likely to impact any strict schema checking.

Example:

{
  "timestamp": "2024-12-16T12:29:34.570556-0600",
  "in_iface": "enp10s0",
  "event_type": "alert",
  "src_ip": "",
  "src_port": 0,
  "dest_ip": "",
  "dest_port": 0,
  "proto": "",
  "pkt_src": "wire/pcap",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2200003,
    "rev": 2,
    "signature": "SURICATA IPv4 truncated packet",
    "category": "Generic Protocol Command Decode",
    "severity": 3
  }
}

This is not a problem with git master which has this commit: https://github.com/OISF/suricata/commit/a1c6328156f

My recommendation would be to backport that commit as it's a clean cherry-pick and takes care of the ports as well.

It looks like it was introduced to 7.0.8 as part of the fix to #7432.