diff --git a/src/alert-json.c b/src/alert-json.c
index 6ae68a5656..36913f7662 100644
--- a/src/alert-json.c
+++ b/src/alert-json.c
@@ -312,12 +312,12 @@ TmEcode OutputJSON(json_t *js, void *data, uint64_t *count)
         return TM_ECODE_OK;
 
     SCMutexLock(&aft->file_ctx->fp_mutex);
-    if (json_out == ALERT_FILE) {
+    if (json_out == ALERT_SYSLOG) {
+        syslog(alert_syslog_level, "%s", js_s);
+    } else if (json_out == ALERT_FILE) {
         MemBufferWriteString(buffer, "%s\n", js_s);
         (void)MemBufferPrintToFPAsString(buffer, aft->file_ctx->fp);
         fflush(aft->file_ctx->fp);
-    } else {
-        syslog(alert_syslog_level, "%s", js_s);
     }
     *count += 1;
     SCMutexUnlock(&aft->file_ctx->fp_mutex);
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 6cf93ccfa9..8172b90dd3 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -87,6 +87,11 @@ outputs:
       enabled: yes
       type: file #file|syslog|unix_dgram|unix_stream
       filename: eve.json
+      # the following are valid when type: syslog above
+      #identity: "suricata"
+      #facility: local5
+      #level: Info ## possible levels: Emergency, Alert, Critical,
+                   ## Error, Warning, Notice, Info, Debug
       types:
         - alert
         - http: