To help users understand why we unbundled Brimcap, it'll be helpful to have docs that walk through how the pieces fit together. Since the Zeek logs are Zeek TSV and have all the typing/schema info already, they can be taken for granted... but the Suricata part relies on the Zed shaper and hence would make a great example. I could write an article (maybe start a wiki on the Brimcap repo?) that shows how the shaper is currently capturing only the Alerts & doing it under a single/wide schema and describe the trade-offs of that approach vs. letting through the many schema variations that would otherwise be created. This would give users a starting point if they wanted to try their own variations, such as letting through more of the Suricata event types and therefore confront whether they want to dive into doing their own shaping of those.