OSSEC HIDS reports this

OSSEC HIDS Notification.
2016 Mar 04 09:06:00

Received From: (elvarx1) any->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

NTFS Alternate data stream found: 'C:\Program Files/7-Zip:Win32App_1'. Possible hidden content.

In this and a few other folders.

I have confirmed that no alternative data streams are set with

gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'

The folders that OSSEC HIDS find have the same thing in common, they have the "a" attribute set to them.

PS C:\Program Files> get-item .\7-Zip\ | select mode

Mode
----
da----

This can be seen also in the properties for the folder under advanced, there "Folder is ready for archiving" is ticked.

Is this a bug in the client? and if so, is it properly tracking alternative data streams at all?