diff --git a/security/suricata/Makefile b/security/suricata/Makefile
index e450a344652f..d2887b48c134 100644
--- a/security/suricata/Makefile
+++ b/security/suricata/Makefile
@@ -1,133 +1,134 @@
 PORTNAME=	suricata
 DISTVERSION=	6.0.3
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	https://www.openinfosecfoundation.org/download/
 
 MAINTAINER=	franco@opnsense.org
 COMMENT=	High Performance Network IDS, IPS and Security Monitoring engine
 
 LICENSE=	GPLv2
 LICENSE_FILE=	${WRKSRC}/LICENSE
 
 BUILD_DEPENDS=	rustc:lang/${RUST_DEFAULT}
 LIB_DEPENDS=	libjansson.so:devel/jansson \
 		libpcre.so:devel/pcre \
 		libnet.so:net/libnet \
 		liblz4.so:archivers/liblz4 \
 		libyaml.so:textproc/libyaml
 
 USES=		autoreconf cpe gmake iconv:translit libtool localbase \
 		pathfix pkgconfig
 
 CPE_VENDOR=	openinfosecfoundation
 
 USE_LDCONFIG=	yes
 USE_RC_SUBR=	${PORTNAME}
 
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS+=--enable-gccprotect \
 		--enable-bundled-htp \
 	        --disable-gccmarch-native
 
 INSTALL_TARGET=		install-strip
 TEST_TARGET=		check
 
 CONFLICTS_INSTALL=	libhtp
 
 SUB_FILES=	pkg-message
 PLIST_SUB=	PORTVERSION=${DISTVERSION:C/-/_/g}
 
 OPTIONS_DEFINE=		GEOIP IPFW NETMAP NSS PORTS_PCAP PRELUDE \
 			PYTHON REDIS TESTS
 OPTIONS_DEFINE_amd64=	HYPERSCAN
 OPTIONS_DEFAULT=	IPFW NETMAP PYTHON
 
 OPTIONS_RADIO=		SCRIPTS
 OPTIONS_RADIO_SCRIPTS=	LUA LUAJIT
 
 OPTIONS_SUB=		yes
 
 PRELUDE_BROKEN=		Compilation broken, see https://redmine.openinfosecfoundation.org/issues/4065
 
 GEOIP_DESC=		GeoIP support
 HYPERSCAN_DESC=		Hyperscan support
 IPFW_DESC=		IPFW and IP Divert support for inline IDP
 LUAJIT_DESC=		LuaJIT scripting support
 LUA_DESC=		LUA scripting support
 NETMAP_DESC=		Netmap support for inline IDP
 NSS_DESC=		File checksums and SSL/TLS fingerprinting
 PORTS_PCAP_DESC=	Use libpcap from ports
 PRELUDE_DESC=		Prelude support for NIDS alerts
 PYTHON_DESC=		Python-based update and control utilities
 REDIS_DESC=		Redis output support
 SCRIPTS_DESC=		Scripting
 TESTS_DESC=		Unit tests in suricata binary
 
 GEOIP_LIB_DEPENDS=		libmaxminddb.so:net/libmaxminddb
 GEOIP_CONFIGURE_ON=		--enable-geoip
 
 HYPERSCAN_LIB_DEPENDS=		libhs.so:devel/hyperscan
 
 IPFW_CONFIGURE_ON=		--enable-ipfw
 
 LUAJIT_LIB_DEPENDS=		libluajit-5.1.so:lang/luajit-openresty
 LUAJIT_CONFIGURE_ON=		--enable-luajit
 
 LUA_USES=			lua:51
 LUA_CONFIGURE_ON=		--enable-lua
 
 NETMAP_CONFIGURE_ENABLE=	netmap
 
 NSS_LIB_DEPENDS=		libnss3.so:security/nss \
 				libnspr4.so:devel/nspr
 NSS_CONFIGURE_OFF=		--disable-nss --disable-nspr
 
 PORTS_PCAP_LIB_DEPENDS=		libpcap.so.1:net/libpcap
 
 PRELUDE_LIB_DEPENDS=		libprelude.so:security/libprelude \
 				libgnutls.so:security/gnutls \
 				libgcrypt.so:security/libgcrypt \
 				libgpg-error.so:security/libgpg-error \
 				libltdl.so:devel/libltdl
 PRELUDE_CONFIGURE_ON=		--with-libprelude-prefix=${LOCALBASE}
 PRELUDE_CONFIGURE_ENABLE=	prelude
 
 PYTHON_BUILD_DEPENDS=		${PYTHON_RUN_DEPENDS}
 PYTHON_RUN_DEPENDS=		${PYTHON_PKGNAMEPREFIX}yaml>0:devel/py-yaml@${PY_FLAVOR}
 PYTHON_USES=			python
 PYTHON_USE=			PYTHON=py3kplist
 PYTHON_CONFIGURE_ENABLE=	python
 
 REDIS_LIB_DEPENDS=		libhiredis.so:databases/hiredis \
 				libevent_pthreads.so:devel/libevent
 REDIS_CONFIGURE_ON=		--enable-hiredis \
 
 TESTS_CONFIGURE_ENABLE=		unittests
 
 pre-patch:
 	@${CP} ${FILESDIR}/ax_check_compile_flag.m4 ${WRKSRC}/m4
 
 post-patch:
 # Disable vendor checksums
 	@${REINPLACE_CMD} 's,"files":{[^}]*},"files":{},' \
 		${WRKSRC}/rust/vendor/*/.cargo-checksum.json
 
 post-patch-PYTHON-on:
 	@${REINPLACE_CMD} -e "/AC_PATH_PROGS.*HAVE_PYTHON/ s/python[^,]*,/${PYTHON_VERSION},/g" \
 		${WRKSRC}/configure.ac
 
 post-install:
 	@${MKDIR} ${STAGEDIR}${ETCDIR} ${STAGEDIR}/var/log/suricata
 .for f in classification.config reference.config
 	@${MV} ${STAGEDIR}${DATADIR}/${f} ${STAGEDIR}${ETCDIR}/${f}.sample
 .endfor
 .for f in suricata.yaml threshold.config
 	${INSTALL_DATA} ${WRKSRC}/${f} ${STAGEDIR}${ETCDIR}/${f}.sample
 .endfor
 
 post-install-PYTHON-on:
 	(cd ${STAGEDIR}${PREFIX} \
 	&& ${PYTHON_CMD} ${PYTHON_LIBDIR}/compileall.py \
 	-d ${PYTHONPREFIX_SITELIBDIR} -f ${PYTHONPREFIX_SITELIBDIR:S;${PREFIX}/;;})
 
 .include <bsd.port.mk>
diff --git a/security/suricata/files/patch-3c53a1601 b/security/suricata/files/patch-3c53a1601
new file mode 100644
index 000000000000..d70b3c563e5a
--- /dev/null
+++ b/security/suricata/files/patch-3c53a1601
@@ -0,0 +1,78 @@
+From 3c53a1601b6f861f8b7f0cd0984b18e78291fe85 Mon Sep 17 00:00:00 2001
+From: Victor Julien <victor@inliniac.net>
+Date: Wed, 18 Aug 2021 20:14:48 +0200
+Subject: [PATCH] threading: don't pass locked flow between threads
+
+Previously the flow manager would share evicted flows with the workers
+while keeping the flows mutex locked. This reduced the number of unlock/
+lock cycles while there was guaranteed to be no contention.
+
+This turns out to be undefined behavior. A lock is supposed to be locked
+and unlocked from the same thread. It appears that FreeBSD is stricter on
+this than Linux.
+
+This patch addresses the issue by unlocking before handing a flow off
+to another thread, and locking again from the new thread.
+
+Issue was reported and largely analyzed by Bill Meeks.
+
+Bug: #4478
+(cherry picked from commit 9551cd05357925e8bec8e0030d5f98fd07f17839)
+---
+ src/flow-hash.c    | 1 +
+ src/flow-manager.c | 2 +-
+ src/flow-timeout.c | 1 +
+ src/flow-worker.c  | 1 +
+ 4 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/flow-hash.c b/src/flow-hash.c
+index ebbd836e81a..760bc53e0a8 100644
+--- src/flow-hash.c
++++ src/flow-hash.c
+@@ -669,6 +669,7 @@ static inline void MoveToWorkQueue(ThreadVars *tv, FlowLookupStruct *fls,
+         f->fb = NULL;
+         f->next = NULL;
+         FlowQueuePrivateAppendFlow(&fls->work_queue, f);
++        FLOWLOCK_UNLOCK(f);
+     } else {
+         /* implied: TCP but our thread does not own it. So set it
+          * aside for the Flow Manager to pick it up. */
+diff --git a/src/flow-manager.c b/src/flow-manager.c
+index d58a49637d6..9228c88490c 100644
+--- src/flow-manager.c
++++ src/flow-manager.c
+@@ -333,9 +333,9 @@ static uint32_t ProcessAsideQueue(FlowManagerTimeoutThread *td, FlowTimeoutCount
+                 FlowForceReassemblyNeedReassembly(f) == 1)
+         {
+             FlowForceReassemblyForFlow(f);
++            FLOWLOCK_UNLOCK(f);
+             /* flow ownership is passed to the worker thread */
+ 
+-            /* flow remains locked */
+             counters->flows_aside_needs_work++;
+             continue;
+         }
+diff --git a/src/flow-timeout.c b/src/flow-timeout.c
+index 972b35076bd..d6cca490087 100644
+--- src/flow-timeout.c
++++ src/flow-timeout.c
+@@ -401,6 +401,7 @@ static inline void FlowForceReassemblyForHash(void)
+                 RemoveFromHash(f, prev_f);
+                 f->flow_end_flags |= FLOW_END_FLAG_SHUTDOWN;
+                 FlowForceReassemblyForFlow(f);
++                FLOWLOCK_UNLOCK(f);
+                 f = next_f;
+                 continue;
+             }
+diff --git a/src/flow-worker.c b/src/flow-worker.c
+index 69dbb6ac575..dccf3581dd5 100644
+--- src/flow-worker.c
++++ src/flow-worker.c
+@@ -168,6 +168,7 @@ static void CheckWorkQueue(ThreadVars *tv, FlowWorkerThreadData *fw,
+ {
+     Flow *f;
+     while ((f = FlowQueuePrivateGetFromTop(fq)) != NULL) {
++        FLOWLOCK_WRLOCK(f);
+         f->flow_end_flags |= FLOW_END_FLAG_TIMEOUT; //TODO emerg
+ 
+         const FlowStateType state = f->flow_state;