Suricata

Hey,

When Suricata decapsulates GENEVE tunnel traffic, the optional TLV metadata from the GENEVE header is not included in the EVE JSON output.

When multiple sources send traffic through GENEVE tunnels to a single Suricata instance, the inner packets can share the same private address space. Including the tunnel options in the EVE output would allow operators to attribute alerts to the correct tunnel source.

Would it be possible to parse GENEVE tunnel options (class, type, value) - or config support depending on users request?- during decapsulation and include them in EVE JSON output alongside existing tunnel metadata?

Thanks