Understanding packets and log records

Hi,

I recently configured the following rule. I am trying to alert when there is a possible DDoS attack:

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "Possible DDoS attack"; flags: S; flow: stateless; threshold: type both, track by_dst, count 200, seconds 1; sid:14000000; classtype:denial-of-service; rev:1;)

When this rule alerted, i checked the log associated with the traffic flow. I noticed that i have a “Netflow” record (source external address and destination internal address) that indicates this:

suricata.eve.netflow.age: 1
suricata.eve.netflow.bytes: 816
suricata.eve.netflow.end: 2023-01-02T19:45:23.275415+0000
suricata.eve.netflow.max_ttl: 39
suricata.eve.netflow.min_ttl: 38
suricata.eve.netflow.pkts: 12
suricata.eve.netflow.start: 2023-01-02T19:45:22.828251+0000
suricata.eve.tcp.ack: true
suricata.eve.tcp.fin: true
suricata.eve.tcp.syn: true
suricata.eve.tcp.tcp_flags 13

In the alert information, i can see this:

network.packets: 2

So, my questions are the following:

1 - Why there is a difference in the number of packets

2 - Why the rule even triggered. It should only trigger when there are more than 200 packets.

Thanks in advance