@nwt's comment from brimdata/zui#2926 (comment):

What's happening here is that Suricata is exiting cleanly (i.e., with status 0) without reading its standard input to EOF. When Suricata exits, io.Copy in the goroutine created by analyzer.runProcesses returns because writes to the pipe connected to its standard input start failing. The goroutine then closes Zeek's standard input, resulting in this error.

That Zui issue improved how Brimcap catches and presents this kind of error, but @nwt feels there's still improvements that can be made on the Brimcap side. A current quote:

Right now brimcap assumes that analyzers that exit with status zero will read their standard input until EOF. I’m not sure that’s a good assumption.