_Based on Robin's request I opened this ticket.
If you use the PCAP below and analyze it using Bro:
Then when checking the files.log, the tx_hosts is supposed to show the host who transmitted the file, and rx_hosts is for the host who received the file based on Bro's documentation: https://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html
If you do the following:
cat files.log | bro-cut fuid tx_hosts rx_hosts | grep <ID OF THE LEAKED PDF FILE>
You'll get that the TX Host IP (SrcIP) is 192.168.121.176 and not 192.168.121.179 !!!
It seems that Bro switched their positions in the output. I found this in an assignment given to my students, and one of them gave me a result completely different. So when I double checked with Wireshark, I found that the IPs have been switched by Bro.
Hope this helps.