Suricata can be configured to log a sensor-name, see suricata/suricata.yaml.in at master · OISF/suricata · GitHub.
Its a bit unfortunate that it logs in the json file as host which conflicts iwth Filebeats concept of a host, but it might work for you provided you’re not mixing Logstash/Evebox added data with Filebeat added data.
I see the EveBox agent mode has a way to add custom field to each alert, but thats not in elastic-import. Time to unify these to tools at some point I think.