feat(ja4ebpf): add dst_ip/dst_port to TLS and HTTP plain events for complete L3/L4

Add dst_ip and dst_port fields to tls_hello_event BPF struct and populate
them in tc_capture.c. Update Go TLS event handler with new byte offsets
(payload[2048]+src_ip(4)+dst_ip(4)+src_port(2)+dst_port(2)+payload_len(2)+
timestamp_ns(8) = 2070 bytes). Read dst_ip/dst_port from HTTP plain events
and use them to populate L3L4 when SYN was not captured, ensuring dst_ip
and dst_port are always available in ClickHouse for both TLS and HTTP sessions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

services/ja4ebpf/bpf/bpf_types.h

@@ -54,7 +54,9 @@ struct tcp_syn_event {
 struct tls_hello_event {
     __u8  payload[2048];         /* payload ClientHello brut (offset 0) */
     __u32 src_ip;                /* adresse source (host byte order) */
+    __u32 dst_ip;                /* adresse destination (host byte order) */
     __u16 src_port;              /* port source (host byte order) */
+    __u16 dst_port;              /* port destination (host byte order) */
     __u16 payload_len;           /* longueur effective du payload */
     __u64 timestamp_ns;          /* horodatage kernel */
 } __attribute__((packed));

services/ja4ebpf/bpf/tc_capture.c

@@ -209,12 +209,16 @@ int capture_tc(struct __sk_buff *ctx)
             return TC_ACT_OK;
 
         tls_evt->src_ip       = 0;
+        tls_evt->dst_ip       = 0;
         tls_evt->src_port     = 0;
+        tls_evt->dst_port     = 0;
         tls_evt->payload_len  = 0;
         tls_evt->timestamp_ns = 0;
 
         tls_evt->src_ip       = bpf_ntohl(src_ip);
+        tls_evt->dst_ip       = bpf_ntohl(dst_ip);
         tls_evt->src_port     = src_port;
+        tls_evt->dst_port     = dst_port;
         tls_evt->timestamp_ns = bpf_ktime_get_ns();
 
         /* Copie via bpf_skb_load_bytes avec tailles constantes en cascade.