Currently all failed login attempts are stored in the same data structure, no matter from which wiki they occur. However the different subwikis might as well have different policies configured, with the odd result that a user can be blocked in one, but gets unblocked when trying to login to another wiki with a much shorter expiration time.
The different login attempts thus should be stored by wiki. If a user does not exist in a subwiki but in the main wiki, the information should be stored in the main wiki. (If the account does not exist in any wiki, it does not matter much.)