I suggest changing the name of this notice to SQL_Injection_Target. Having "victim" in the name implies to me that the attack succeeded, which is not what the associated logic is about.
Indeed, I even wonder if this notice is useful. The information should be directly available from SQL_Injection_Attacker notices (though it doesn't appear to be currently set up to provide this - why not?).