So you could try this… Create /etc/firewalld/direct.xml to look like:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-j NFQUEUE --queue-bypass</rule>
<rule ipv="ipv4" table="filter" chain="OUTPUT" priority="0">-j NFQUEUE --queue-bypass</rule>
</direct>
Note the --queue-bypass. This allows packets through if Suricata is not running. If you want packets to be dropped when Suricata is not running then remove that option.
After creating this file reload with firewall-cmd --reload.
This was tested on a CentOS 8 default install with Suricata installed from EPEL. The command line was simply suricata -q0.