doc: add multi buffer matching documentation v2

[jmtaylor90]

Make sure these boxes are signed before submitting your Pull Request -- thank you.

• I have read the contributing guide lines at https://suricata.readthedocs.io/en/latest/devguide/codebase/contributing/contribution-process.html
• I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/
• I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)

Link to redmine ticket:

https://redmine.openinfosecfoundation.org/issues/6032

Describe changes:

• Add documentation describing multi buffer matching behavior
• Add links to relevant keyword documentation for multi buffer matching

Provide values to any of the below to override the defaults.

To use a pull request use a branch name like pr/N where N is the
pull request number.

Alternatively, SV_BRANCH may also be a link to an
OISF/suricata-verify pull-request.

SV_REPO=
SV_BRANCH=
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=

[catenacyber]

Thanks for this @jmtaylor90

Would you also add an example with
dns.query; content:"example"; content:".com"; ?
And say that these will match on the same dns query buffer (or a better wording)
(maybe this is better illustrated with http2.header)

[jmtaylor90]

Yes, I will add and look at the explanation again today. I went back and forth a bit on which example to use for a signature, I started with using a variation of the signature from your suricata-verify test for the http2 multi buffer but I wasn't sure if the concept remained clear throughout the explanation of the behavior changes.
Thanks for the review/comments.

[jmtaylor90]

continued in #9174

[jufajardini]

Doc changes and explanation look good to me, taking into account adjusting as asked by Philippe :)

In that regard, since this is a new concept, I think that it could be helpful to have more than one example, and maybe highlight the difference in behavior a bit more?