Suricata

The attached is a single stream pcap from a malicious C2 beacon occurring multiple times over time.
It has 3whs and tear down but only one client hello packet , ack-ed by the server though.

The TLS version is TLSv1 according to Wireshark. Suricata protocol logs for TLS version displays "undetermined".

In this case it would be helpful if the protocol version is included in the log from security analysts/hunting perspective. It could maybe even be anomaly event ?

{
  "timestamp": "2022-11-24T11:16:23.277657+0100",
  "flow_id": 2240760637570876,
  "pcap_cnt": 9,
  "event_type": "tls",
  "src_ip": "192.168.46.2",
  "src_port": 49905,
  "dest_ip": "91.254.215.167",
  "dest_port": 443,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "metadata": {
    "flowbits": [
      "ET.Evil",
      "ET.BotccIP" 
    ]
  },
  "tls": {
    "version": "UNDETERMINED",
    "ja3": {
      "hash": "49ed2ef3f1321e5f044f1e71b0e6fdd5",
      "string": "769,49162-49161-49172-49171-53-47-10,5-10-11-35-23-65281,29-23-24,0" 
    }
  }
}

Tested on 7.0.0-beta1