diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml
index 42af3fc55..0252d3a81 100644
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -3,6 +3,14 @@ suricata:
   pcap:
     filesize: 1000mb
     maxsize: 25
+    compression: "none"
+    lz4-checksum: "no"
+    lz4-level: 8
+    filename: "%n/so-pcap.%t"
+    mode: "multi"
+    use-stream-depth: "no"
+    conditional: "all"
+    dir: "/nsm/suripcap"
   config:
     threading:
       set-cpu-affinity: "no"
@@ -131,14 +139,6 @@ suricata:
         enabled: "no"
       pcap-log:
         enabled: "no"
-        compression: "none"
-        lz4-checksum: "no"
-        lz4-level: 8
-        filename: "%n/so-pcap.%t"
-        mode: "multi"
-        use-stream-depth: "no"
-        conditional: "all"
-        dir: "/nsm/suripcap"
       alert-debug:
         enabled: "no"
       alert-prelude:
diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml
index 88b460af8..da7586e97 100644
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -27,6 +27,47 @@ suricata:
     maxsize:
       description: Size in GB for total usage size of PCAP on disk. 
       helplink: suricata.html
+    compression: 
+      description: Enable compression of Suricata PCAP. Currently unsupported
+      advanced: True
+      readonly: True
+      helpLink: suricata.html
+    lz4-checksum: 
+      description: Enable PCAP lz4 checksum. Currently unsupported
+      advanced: True
+      readonly: True
+      helpLink: suricata.html
+    lz4-level: 
+      description: lz4 compression level of PCAP. 0 for no compression 16 for max compression. Currently unsupported
+      advanced: True
+      readonly: True
+      helpLink: suricata.html
+    filename:
+      description: Filename output for Suricata PCAP.
+      advanced: True
+      readonly: True
+      helpLink: suricata.html
+    mode: 
+      description: Suricata PCAP mode. Currently only multi is supported.
+      advanced: True
+      readonly: True
+      helpLink: suricata.html
+    use-stream-depth: 
+      description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth. 
+      advanced: True
+      regex: ^(yes|no)$
+      regexFailureMessage: You must enter either yes or no.
+      helpLink: suricata.html
+    conditional: 
+      description: Set to "all" to capture PCAP for all flows. Set to "alert" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules.
+      regex: ^(all|alert|tag)$
+      regexFailureMessage: You must enter either all, alert or tag.
+      helpLink: suricata.html
+    dir:
+      description: Parent directory to store PCAP.
+      advanced: True
+      readonly: True
+      helpLink: suricata.html
   config:
     af-packet:
       interface:
@@ -175,48 +216,7 @@ suricata:
           description: This value is ignored by SO. pcapengine in globals takes precidence.
           readonly: True
           helpLink: suricata.html
-          advanced: True
-        compression: 
-          description: Enable compression of Suricata PCAP. Currently unsupported
-          advanced: True
-          readonly: True
-          helpLink: suricata.html
-        lz4-checksum: 
-          description: Enable PCAP lz4 checksum. Currently unsupported
-          advanced: True
-          readonly: True
-          helpLink: suricata.html
-        lz4-level: 
-          description: lz4 compression level of PCAP. 0 for no compression 16 for max compression. Currently unsupported
-          advanced: True
-          readonly: True
-          helpLink: suricata.html
-        filename:
-          description: Filename output for Suricata PCAP.
-          advanced: True
-          readonly: True
-          helpLink: suricata.html
-        mode: 
-          description: Suricata PCAP mode. Currently only multi is supported.
-          advanced: True
-          readonly: True
-          helpLink: suricata.html
-        use-stream-depth: 
-          description: Set to "no" to ignore the stream depth and capture the entire flow. Set this to "yes" to truncate the flow based on the stream depth. 
-          advanced: True
-          regex: ^(yes|no)$
-          regexFailureMessage: You must enter either yes or no.
-          helpLink: suricata.html
-        conditional: 
-          description: Set to "all" to capture PCAP for all flows. Set to "alert" to capture PCAP just for alerts or set to "tag" to capture PCAP for just tagged rules.
-          regex: ^(all|alert|tag)$
-          regexFailureMessage: You must enter either all, alert or tag.
-          helpLink: suricata.html
-        dir:
-          description: Parent directory to store PCAP.
-          advanced: True
-          readonly: True
-          helpLink: suricata.html
+          advanced: True        
     asn1-max-frames:
       description: Maximum nuber of asn1 frames to decode.
       helpLink: suricata.html