I don't know why it's not being detected

I use suricata 7.0

alert tcp any any → any any (ssl_state:client_hello; tls.sni; content:“.amazon.com” >>> not detect
alert tcp any any → any any (ssl_state:client_hello; ) >>> detect ok

i don’t understand.
Can’t content keyword and ssl_state keyword be used together?
I would appreciate it if you could let me know.

Hi trymp,
can you provide a PCAP so we can help you out more?
I don’t see why they couldn’t be used together.