If you want to use Suricata on interfaces where is ZA used, you need to disable ZA on them first.
If you want to use Suricata with ZA together they do not stack on top of each other. ZA was developed to protect the LAN. The Co-deployment should be done Suricata on WAN and ZA on LAN.
Not sure about the NTOPNG as I do not use it, but give it a try.Also do you have any HW offloading (CRC, TSO & LRO) enabled?After you removed ZA, did you reboot the device?As I mentioned this error you see is usually due to the fact that Suricata fights with some other system for the NMAP on that specific interface.Regards,S.