diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst
index 66eb7c68a5..7004b1e108 100644
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -383,6 +383,9 @@ If extended logging is enabled the following fields are also included:
 * "version": The SSL/TLS version used
 * "notbefore": The NotBefore field from the TLS certificate
 * "notafter": The NotAfter field from the TLS certificate
+* "ja3": The JA3 fingerprint consisting of both a JA3 hash and a JA3 string
+
+JA3 must be enabled in the Suricata config file (set 'app-layer.protocols.tls.ja3-fingerprints' to 'yes').
 
 In addition to this, custom logging also allows the following fields:
 
diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst
index d137f7ec03..232ef26338 100644
--- a/doc/userguide/output/eve/eve-json-output.rst
+++ b/doc/userguide/output/eve/eve-json-output.rst
@@ -107,7 +107,7 @@ YAML::
             extended: yes     # enable this for extended logging information
             # custom allows to control which tls fields that are included
             # in eve-log
-            #custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
+            #custom: [subject, issuer, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3]
 
 The default is to log certificate subject and issuer. If ``extended`` is
 enabled, then the log gets more verbose.