There are different triggers within the anomaly detection functionality; from your description you triggered this (Brute-Force Protection) for a single user so a different user from the same IP address will not be affected.
If you trigger this one (Brute-Force Protection) then the actual IP address will be blocked for some time.
In relation to your last question, from the test you performed (a user got blocked) a event log entry of type limit_wc (Logs) should have been generated. In that specific log entry I believe the IP from the header will be surfaced as that entry is specific to anomaly detection.