Snort - Source and Destination IP's missing from alert

Question

We are running Snort 3.1.22. A log4j rule was recently triggered but the alert did not include any source or destination IP info. What are the circumstances where this info wouldn't be available in an alert log? I'm unable / don't how to manually trigger the alert to experiment with it.

The rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_cookie; content:"${",fast_pattern,nocase; pcre:"/\x24\x7b.{0,200}\x24\x7b.{0,200}\x3a[\x27\x22\x2d\x5c]*([jndi\x7d\x3a\x2d]|\x5cu00[a-f0-9]{2}){1,4}[\x22\x27]?[\x3a\x7djndi]/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; classtype:attempted-user; sid:300058; rev:2; )

The alert log:

[] [1:300058:2] "SERVER-OTHER Apache Log4j logging remote code execution attempt" [] 03/23-07:42:06.453104

The arguments we're running snort with:

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/local.rules -i eth0 -A alert_full -l /var/log/snort -k none

The only other time we see missing IP's in the alert logs is for a rule that looks for a large amount of TCP connections in a small time-frame. The rule was set up for port scans, but we can't adequately filter out false positives and we are likely going to remove it, but it's another example of the issue. Around 50 out of every 500 alerts for that TCP rule come back with no IP info and it's not clear why. At first we thought maybe it had to do with too many alerts being triggered at once for a rule, but the log4j alert has only been triggered once so we're stumped.