First you need to understand what the "alert.id" metakey is used for and then stop using it. "alert.id" is a holding key for meta values created by App rules, parsers, and feeds, when a value is created in alert.id, it is then processed by 3 feeds:
Each feed processes the value of the "alert.id" key and populates multiple metakeys from that 1 alert.id
These in turn can be used by other application rules to generate "alert" meta in the system.
alert.id was never meant to used as a catch-all for customer data, in fact, customers that are sending data to this key should change where they send that data, so as to not cause false positives within the other categories. alert.id's are NOT alerts, some of them just generate "information" (risk.info) that is useful when determining what traffic in a session is doing, or things that are of a suspicious nature ("protocol not over a standard port" or "non-standard traffic over a standard port") .
I generally configure 2 additional meta keys for customers for "customer.alert" and "customer.info", so as they develop rules or feeds that are tagging data (informational) that they use to BUILD an alert, they have a place to put it (customer.info) without using Built-in NetWitness keys, same for their alerts, they put them in "customer.alert" so they know what alerts are generated from home grown intelligence and what alerts are generated by the NetWitness content.