Sometimes you want to include another project directly in your source tree, and not just as a git subproject or similar. That's fine, but there are some steps to follow.
The commit message needs to contain at least:
- License of the upstream package
- Original checksum of all files
- Upstream URL
- Upstream git/svn/tracker
- Author / Others
- exact version number of the release
Checksum should be sha1 or sha256 sums of the upstream files, in unmodified form. This is for future protection in case of legal issues.
The commit needs to include the valid license file for the upstream project. All common licenses that I know about require you to ship a copy of the license with the source. In the future, if you change this file, you should always do it in separate commits, keeping the license in mind.
Make sure that no other files are changed in this commit. No modifications to the upstream project, no additions to build systems or documentation.
Make sure that the information in the commit message is enough to reliably reproduce this checkout. If the upstream package is a git checksum, include that and the original tree URL. (pointing at this release, tag, or blob, not at head/master)
These are all pretty much basic legal requirements when working with other's code.
Then, if you ever make changes to the included files (adding modules or stripping parts, etc.) those have to be done in separate commits.