For TCP flow "FLOW" events does not show "Closed" state ;Alert shows FIN event though

I have enabled FLOW and trying to track TCP flow.
I have also created alerts for TCP setup for flags like SYN,ACK, FIN

When the TCP session takes place , I see the alerts as expected for all events like SYN,ACK , FIN ( not RESET )

But under FLOW event_type I do not see “CLOSED” state. I only see ESTABLISHED followed by NEW states and at the end I see NEW STATE with reason “unknown”

I have been trying to use iperf to generate TCP flow , also tried using socket programming on LINUX machine.

Here is the timeout information from suricata.yaml

flow-timeouts:

default:
new: 30
established: 300
closed: 0
tcp:
new: 1
established: 3
closed: 2

Also I would like to know when the suricata decides to “close” the TCP flow, what is the logic behind it.
I see stream-tcp file compares timestamps for each state to check if FLOW is alive , however I am looking for the logic which decides the TCP flow is closed for that connection.

import json

def check_flow_states(log_file):
    closed_state_found = False
    with open(log_file, 'r') as file:
        for line in file:
            try:
                event = json.loads(line)
                if event.get('event_type') == 'flow':
                    print(f"Flow state: {event.get('flow', {}).get('state')}")
                    if event.get('flow', {}).get('state') == 'closed':
                        closed_state_found = True
            except json.JSONDecodeError:
                pass  # Skip lines that are not valid JSON

    if not closed_state_found:
        print("No 'CLOSED' state found in flow events.")
    else:
        print("Found at least one 'CLOSED' state in flow events.")

# Usage
log_file_path = '/path/to/your/eve.json'  # replace with your actual log file path
check_flow_states(log_file_path)