Suricata

When a flow is reversed, MAC addresses are not swapped, resulting in the same MAC appearing in both "src_macs" and "dest_macs".

Below is an example showing the issue (tested using the PCAP from suricata-verify/tests/dns-reversed-tcp-1).
"src_macs" should contain only "d8:cb:8a:ed:a1:46", and "dest_macs" should contain only "00:15:17:0d:06:f7".

To reproduce the issue, enabling stream.midstream and eve.ethernet is sufficient.

{
  "timestamp": "2017-01-26T21:16:58.270725+0100",
  "flow_id": 599807472082420,
  "event_type": "flow",
  "src_ip": "10.16.1.11",
  "src_port": 38195,
  "dest_ip": "8.8.4.4",
  "dest_port": 53,
  "ip_v": 4,
  "proto": "TCP",
  "app_proto": "dns",
  "flow": {
    ...
  },
  "ether": {
    "dest_macs": [
      "d8:cb:8a:ed:a1:46",
      "00:15:17:0d:06:f7" 
    ],
    "src_macs": [
      "00:15:17:0d:06:f7",
      "d8:cb:8a:ed:a1:46" 
    ]
  },
  "tcp": {
    ...
  }
}