Why suricata don't generate filehash for alerts

Hi!
Sorry for getting back late on this. If you want to see the file hash, you should probably be checking the files event corresponding to the same flow as the alert event. Also, make sure you have hash logging enabled in eve-log's files section.

        - files:
            force-magic: no   # force logging magic on all logged files
            # force logging of checksums, available hash functions are md5,
            # sha1 and sha256
            #force-hash: [md5]   <-- This one  HERE

I think you may also need libnss installed for this to work.