Suricata

Hi all,

The Problem
The issue I'm trying to solve is correlating between an alert and the pcap log it creates in conditional mode for alerts. While the "capture_file" field in EVE JSON alerts should provide this correlation, there's a timing problem: the alert is generated and sent before the PCAP file is created and named. Solving this will be great however it seems quite difficult.

Suggested Solution
An alternative solution would be allowing flow IDs to be used in PCAP log filenames. This would create a deterministic mapping between alerts and PCAP logs.

I'm willing to implement this feature myself if it aligns with the project's goals. This would be my first contribution to Suricata, so I'd appreciate any guidance on the preferred approach.
Thanks in advance for your consideration!