How to record accounts in eve.json when the password is empty？

My requirement is to know the account information when the ftp empty password login alarm occurs
How do I write rules

alert ftp any any -> $HOME_NET any (msg:"ftp空密码登录-账号提取"; flow:established,to_server; content:"USER "; depth:5; pcre:"/^USER\s+\S*/i"; sid:2; gid: 214581;)


alert ftp any any -> $HOME_NET any (msg:"ftp空密码登录-前置"; flow:established,to_server; content:"PASS "; depth:5; pcre:"/^PASS\s*$/i"; flowbits:set,session.ftp_empty_pass_login; metadata:attack_result 1, level 2; sid:1; gid: 214581;)

The first rule will warn you when all ftp logins are made, not just when there is an empty password. How can I optimize this?

This is Suricata version 7.0.5 RELEASE

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal

Install from source

The USER and PASS values won’t be contained in the alert; log records with the event_type of ftp will contain those when they’re observed.

You can correlate the alert and ftp log records using the flow_id.

Is this what you’re after?