In our initial case, the metadata would be the confidence value, specifically as to whether the flow data is understood to be likely malware. We believe that will help an analyst to triage results. The confidence value would be the result of a machine learning analytic.
Beyond confidence (readily mapped to integer, assuming some concept of precision), I can envision returning malware family. That could be an integer (lookup value) or a string.
Very much appreciate the pointer to the Flow ints and vars. I had looked at them at one point, but not recognized their potential applications for our use case.