Suricata

Description:
After upgrading to Suricata 7.0, some TCP alerts no longer appear in fast.log. Specifically, server-to-client alerts are missing, while client-to-server alerts are logged correctly. This issue does not occur in Suricata 6.0.

Suricata Versions:

Working: 1:6.0.20-0ubuntu4
    Not Working: 1:7.0.3-1build3, 1:7.0.8-0ubuntu0 (tested on both Ubuntu Noble and Jammy)

Reproduction Steps:

Use the following rule set:

alert tcp any any -> any any (msg: "Test alert message from client TCP flow"; content: "Test alert from client"; flow: established, from_client, only_stream; classtype:misc-activity; sid:1000001;  
    alert tcp any any -> any any (msg: "Test alert message from server TCP flow"; content: "Test alert from server"; flow: established, from_server, only_stream; classtype:misc-activity; sid:1000002;

Replay the attached pcap file.

Check fast.log.

Expected Behavior:
Both alerts should be logged:

[**] [1:1000001:0] Test alert message from client TCP flow [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.222:2222 -> 192.168.1.111:1111
[**] [1:1000002:0] Test alert message from server TCP flow [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.111:1111 -> 192.168.1.222:2222

Actual Behavior:
Only the client-to-server alert appears. The server-to-client alert is missing in Suricata 7.0.

Additional Information:

Issue is specific to TCP.
    No modifications were made to the test environment between versions, aside from upgrading Suricata.
    I have attached two capture files, with replaying the passing capture file with tcpreplay, both alerts are always present even on 7.0.8, but when replaying the failing capture file, only the client-server row is logged. On 6.0.20 replaying either of the 2 capture files are resulting in correct logging.