Cherry-pick #19494 to 7.8: Fix tls mapping in suricata module

[leehinman]

Cherry-pick of PR #19494 to 7.8 branch. Original message:

What does this PR do?

Fixes tls mappings in suricata module. Specifically:

• add suricata.eve.tls.ja3s.string field
• add suricata.eve.tls.ja3s.hash field
• add suricata.eve.tls.ja3.string field
• add suricata.eve.tls.ja3.hash field
• set default_field to false for suricata fields
• map suricata.eve.tls.ja3.hash to tls.client.ja3
• map suricata.eve.tls.ja3s.hash to tls.server.ja3s
• perform suricata.eve.tls.* -> tls.* mappings for all event types

Why is it important?

• If the tls.* mappings aren't filled in the event doesn't show up in
  the TLS tab in the SIEM
• default_field to false to stay under 1000 fields

Checklist

• My code follows the style guidelines of this project
  - [ ] I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
  - [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

TESTING_FILEBEAT_MODULES=suricata mage -v pythonIntegTest

Related issues

• Closes [Filebeat] suricata fileset doesn't capture tls fields for alerts #19492

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[elasticmachine]

💚 Build Succeeded

Expand to view the summary

Build stats

• Build Cause: [leehinman commented: run tests]

• Start Time: 2020-07-06T00:47:20.376+0000

• Duration: 61 min 39 sec

Test stats 🧪

Test	Results
Failed	0
Passed	3789
Skipped	683
Total	4472

[leehinman]

run tests