Here's a PCAP with an example. I've anonymized the IPs, so it can be shared publicly/used as a test if desired.
It does look like the first connection wasn't torn down in a completely normal way - if I run just that connection through Bro, conn_state is S3, and there are some missed bytes.
Unfortunately, this is a pretty common occurrence when we're being scanned - traffic spikes, causing Bro to miss more bytes, leading to more of these incorrect connections.
The specific issue is that the jump in seq numbers between the first and second connection cause Bro to think that a lot of traffic was simply missed. This leads to false positives with the SSH heuristic, since now the byte total is over the threshold.
Digging into this, I realize it wasn't as closely related to this ticket as I thought, so let me know if I should file a new ticket for this.