Severity vs signature_severity

Hi!
In the suricata.rules file i can see signature_severity set, and in eve.json i see both that, and also one other called just severity. How do they relate?
Sometimes i get alerts where sev=1/sig_sev=Critical, and sometimes sev=1/sig_sev=Informational.
And by what is severity set? (since its not present in suricata.rules)

$ grep 2009099 suricata.rules
alert udp $HOME_NET 1024:65535 -> [$EXTERNAL_NET,!224.0.0.0/4] 1024:65535 (msg:"ET P2P ThunderNetwork UDP Traffic"; dsize:<38; content:"|32 00 00 00|"; depth:4; content:"|00 00 00 00|"; distance:1; threshold:type limit, track by_src, count 1, seconds 300; reference:url,xunlei.com; reference:url,en.wikipedia.org/wiki/Xunlei; classtype:policy-violation; sid:2009099; rev:4; metadata:created_at 2010_07_30, confidence High, signature_severity Informational, updated_at 2019_07_26;)

And in eve.json...
{
  "timestamp": "2025-01-21T08:08:07.218624+0100",
  "event_type": "alert",
  ...
  "dest_port": 10050,
  "proto": "UDP",
  "community_id": "1:k8ntxFqa6QPNmM5nvC7v3IYfdgs=",
  "alert": {
    "signature_id": 2009099,
    "signature": "ET P2P ThunderNetwork UDP Traffic",
    "category": "Potential Corporate Privacy Violation",
    "severity": 1,
    ...
      "signature_severity": [
        "Informational"
      ],
    }
  },
  "app_proto": "failed",
  "flow": {
    ...
  }
}

Both severities can be set up by the rule writer (by default it is 1).
ref: Suricata alert severity levels and how to verify that the maximum level that can be triggered by a test custom rule

There is also signature_severity that is defined in the metadata section of the rule , it has no impact on detection - it is just for information.

....metadata:created_at 2021_05_04, signature_severity Minor, updated_at 2025_03_13;.....

Ok, thanks!

So the severity is not for instance inferred from classtype or something like that (unless its explicitly set)?

Yes, by default is 1, unless changed.