Today CycloneDX allows for arbitrary properties on package components, which we've leveraged in order to map non-compliant fields into the CycloneDX SBOM without going against the CycloneDX spec (see here).

SPDX 3.0 will soon implement a similar feature to this. I'm opening this issue as a place holder for when syft support SPDX 3.0 to consider implementing a similar capability so we can express pkg.Package.Metadata as arbitrary properties. (see a related issue anchore/grype#1245 that could have been solved with these SPDX 3 features, but is not possible in SPDX 2)