Suricata sometimes doesn't bypass flow properly - even though it reports it as bypassed
In some cases, Suricata doesn't set bypass mask to flow, but reports it as bypassed (with "bypass":"capture"). When it sees more packets from that flow then, it creates new flow (possibly with wrong direction, if it sees packet from the other direction first) and reports it.
The issue is quite strange, it seems to depend on protocol used. Bypass works fine for HTTP/TLS, but doesn't work for SSH, so the issue is probably not related to iptables mark/connmark handling, but rather some internals of suricata.
There is a workaround for now in flows_conntrack.py script, that filters these duplicate flows (from "flow"/"flow_start" event), but this only solves reporting of these flows, but this also could cause performance problem as the flow is not bypassed as it should be.