Suricata

I would like to be able to log (or not) in various formats on a rule-by-rule basis. For example, I would like to see all HTTP requests directed at a particular sinkhole. It would be nice if I could simply add a rule like this:

alert tcp $HOME_NET any -> $SINKHOLE_NET 80 (msg:"Sinkhole HTTP"; content:"GET /"; log:http;)

Or better yet, I'd like to be able to define my own log keywords in suricata.yaml in order to direct debug, pcap, or http logging at different files for different rules.

outputs:
  - debug1
      format: alert-debug
      enabled: conditional # 'yes' - enable for all alerts, 'no' - disable, 'conditional' - enable for rules using a log keyword
      filename: alert-debug1.log
      append: yes
      filetype: regular
  - sinkhole-http
      format: http-log
      enabled: conditional
      filename: sinkhole-http.log
      append: yes

alert tcp $HOME_NET any -> $SINKHOLE_NET 80 (msg:"Sinkhole HTTP"; content:"GET /"; log:sinkhole-http;)
alert tcp any 84 -> $HOME_NET any (msg:"Investigating strange traffic"; log:debug1;)