diff --git a/security/suricata/Makefile b/security/suricata/Makefile
index 891a015e8e5c..91de8fce570b 100644
--- a/security/suricata/Makefile
+++ b/security/suricata/Makefile
@@ -1,6 +1,5 @@
 PORTNAME=	suricata
-DISTVERSION=	6.0.3
-PORTREVISION=	5
+DISTVERSION=	6.0.4
 CATEGORIES=	security
 MASTER_SITES=	https://www.openinfosecfoundation.org/download/
 
diff --git a/security/suricata/distinfo b/security/suricata/distinfo
index 47cdde42ff52..d754df161699 100644
--- a/security/suricata/distinfo
+++ b/security/suricata/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1628041281
-SHA256 (suricata-6.0.3.tar.gz) = daf134bb2d7c980035e9ae60f7aaf313323a809340009f26e48110ccde81f602
-SIZE (suricata-6.0.3.tar.gz) = 32421197
+TIMESTAMP = 1637246038
+SHA256 (suricata-6.0.4.tar.gz) = a8f197e33d1678689ebbf7bc1abe84934c465d22c504c47c2c7e9b74aa042d0d
+SIZE (suricata-6.0.4.tar.gz) = 32498036
diff --git a/security/suricata/files/patch-3c53a1601 b/security/suricata/files/patch-3c53a1601
deleted file mode 100644
index d70b3c563e5a..000000000000
--- a/security/suricata/files/patch-3c53a1601
+++ /dev/null
@@ -1,78 +0,0 @@
-From 3c53a1601b6f861f8b7f0cd0984b18e78291fe85 Mon Sep 17 00:00:00 2001
-From: Victor Julien <victor@inliniac.net>
-Date: Wed, 18 Aug 2021 20:14:48 +0200
-Subject: [PATCH] threading: don't pass locked flow between threads
-
-Previously the flow manager would share evicted flows with the workers
-while keeping the flows mutex locked. This reduced the number of unlock/
-lock cycles while there was guaranteed to be no contention.
-
-This turns out to be undefined behavior. A lock is supposed to be locked
-and unlocked from the same thread. It appears that FreeBSD is stricter on
-this than Linux.
-
-This patch addresses the issue by unlocking before handing a flow off
-to another thread, and locking again from the new thread.
-
-Issue was reported and largely analyzed by Bill Meeks.
-
-Bug: #4478
-(cherry picked from commit 9551cd05357925e8bec8e0030d5f98fd07f17839)
----
- src/flow-hash.c    | 1 +
- src/flow-manager.c | 2 +-
- src/flow-timeout.c | 1 +
- src/flow-worker.c  | 1 +
- 4 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/flow-hash.c b/src/flow-hash.c
-index ebbd836e81a..760bc53e0a8 100644
---- src/flow-hash.c
-+++ src/flow-hash.c
-@@ -669,6 +669,7 @@ static inline void MoveToWorkQueue(ThreadVars *tv, FlowLookupStruct *fls,
-         f->fb = NULL;
-         f->next = NULL;
-         FlowQueuePrivateAppendFlow(&fls->work_queue, f);
-+        FLOWLOCK_UNLOCK(f);
-     } else {
-         /* implied: TCP but our thread does not own it. So set it
-          * aside for the Flow Manager to pick it up. */
-diff --git a/src/flow-manager.c b/src/flow-manager.c
-index d58a49637d6..9228c88490c 100644
---- src/flow-manager.c
-+++ src/flow-manager.c
-@@ -333,9 +333,9 @@ static uint32_t ProcessAsideQueue(FlowManagerTimeoutThread *td, FlowTimeoutCount
-                 FlowForceReassemblyNeedReassembly(f) == 1)
-         {
-             FlowForceReassemblyForFlow(f);
-+            FLOWLOCK_UNLOCK(f);
-             /* flow ownership is passed to the worker thread */
- 
--            /* flow remains locked */
-             counters->flows_aside_needs_work++;
-             continue;
-         }
-diff --git a/src/flow-timeout.c b/src/flow-timeout.c
-index 972b35076bd..d6cca490087 100644
---- src/flow-timeout.c
-+++ src/flow-timeout.c
-@@ -401,6 +401,7 @@ static inline void FlowForceReassemblyForHash(void)
-                 RemoveFromHash(f, prev_f);
-                 f->flow_end_flags |= FLOW_END_FLAG_SHUTDOWN;
-                 FlowForceReassemblyForFlow(f);
-+                FLOWLOCK_UNLOCK(f);
-                 f = next_f;
-                 continue;
-             }
-diff --git a/src/flow-worker.c b/src/flow-worker.c
-index 69dbb6ac575..dccf3581dd5 100644
---- src/flow-worker.c
-+++ src/flow-worker.c
-@@ -168,6 +168,7 @@ static void CheckWorkQueue(ThreadVars *tv, FlowWorkerThreadData *fw,
- {
-     Flow *f;
-     while ((f = FlowQueuePrivateGetFromTop(fq)) != NULL) {
-+        FLOWLOCK_WRLOCK(f);
-         f->flow_end_flags |= FLOW_END_FLAG_TIMEOUT; //TODO emerg
- 
-         const FlowStateType state = f->flow_state;
diff --git a/security/suricata/files/patch-powerpc b/security/suricata/files/patch-powerpc
deleted file mode 100644
index e8b444747129..000000000000
--- a/security/suricata/files/patch-powerpc
+++ /dev/null
@@ -1,62 +0,0 @@
---- rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/mod.rs.orig	2020-03-17 20:35:43 UTC
-+++ rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/mod.rs
-@@ -1486,6 +1486,9 @@ cfg_if! {
-     } else if #[cfg(target_arch = "powerpc64")] {
-         mod powerpc64;
-         pub use self::powerpc64::*;
-+    } else if #[cfg(target_arch = "powerpc")] {
-+        mod powerpc;
-+        pub use self::powerpc::*;
-     } else {
-         // Unknown target_arch
-     }
---- rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/powerpc.rs.orig	2021-06-23 22:40:24 UTC
-+++ rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/powerpc.rs
-@@ -0,0 +1,47 @@
-+pub type c_char = u8;
-+pub type c_long = i32;
-+pub type c_ulong = u32;
-+pub type wchar_t = i32;
-+pub type time_t = i64;
-+pub type suseconds_t = i32;
-+pub type register_t = i32;
-+
-+s! {
-+    pub struct stat {
-+        pub st_dev: ::dev_t,
-+        pub st_ino: ::ino_t,
-+        pub st_mode: ::mode_t,
-+        pub st_nlink: ::nlink_t,
-+        pub st_uid: ::uid_t,
-+        pub st_gid: ::gid_t,
-+        pub st_rdev: ::dev_t,
-+        pub st_atime: ::time_t,
-+        pub st_atime_nsec: ::c_long,
-+        pub st_mtime: ::time_t,
-+        pub st_mtime_nsec: ::c_long,
-+        pub st_ctime: ::time_t,
-+        pub st_ctime_nsec: ::c_long,
-+        pub st_size: ::off_t,
-+        pub st_blocks: ::blkcnt_t,
-+        pub st_blksize: ::blksize_t,
-+        pub st_flags: ::fflags_t,
-+        pub st_gen: u32,
-+        pub st_lspare: i32,
-+        pub st_birthtime: ::time_t,
-+        pub st_birthtime_nsec: ::c_long,
-+    }
-+}
-+
-+// should be pub(crate), but that requires Rust 1.18.0
-+cfg_if! {
-+    if #[cfg(libc_const_size_of)] {
-+        #[doc(hidden)]
-+        pub const _ALIGNBYTES: usize = ::mem::size_of::<::c_int>() - 1;
-+    } else {
-+        #[doc(hidden)]
-+        pub const _ALIGNBYTES: usize = 4 - 1;
-+    }
-+}
-+
-+pub const MAP_32BIT: ::c_int = 0x00080000;
-+pub const MINSIGSTKSZ: ::size_t = 2048; // 512 * 4
diff --git a/security/suricata/pkg-plist b/security/suricata/pkg-plist
index 5fcb57aa716a..f50fe60042d1 100644
--- a/security/suricata/pkg-plist
+++ b/security/suricata/pkg-plist
@@ -136,7 +136,7 @@ man/man1/suricata.1.gz
 %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/util.pyc
 %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.py
 %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.pyc
-%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.2-py%%PYTHON_VER%%.egg-info
+%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.3-py%%PYTHON_VER%%.egg-info
 %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.py
 %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.pyc
 %%DATADIR%%/rules/app-layer-events.rules
@@ -146,9 +146,11 @@ man/man1/suricata.1.gz
 %%DATADIR%%/rules/dns-events.rules
 %%DATADIR%%/rules/files.rules
 %%DATADIR%%/rules/http-events.rules
+%%DATADIR%%/rules/http2-events.rules
 %%DATADIR%%/rules/ipsec-events.rules
 %%DATADIR%%/rules/kerberos-events.rules
 %%DATADIR%%/rules/modbus-events.rules
+%%DATADIR%%/rules/mqtt-events.rules
 %%DATADIR%%/rules/nfs-events.rules
 %%DATADIR%%/rules/ntp-events.rules
 %%DATADIR%%/rules/smb-events.rules