From 7c5285e5e6d4434bd92d189aa368b8494911ba24 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Wed, 21 Jan 2026 10:08:27 +0100
Subject: [PATCH] doc/userguide: explain isdataat absolute vs relative
 difference

Ticket: #8031.
---
 doc/userguide/rules/payload-keywords.rst | 32 ++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst
index 25f74d853e..fdcd9f9869 100644
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@@ -271,6 +271,38 @@ You can also use the negation (!) before isdataat.
 
 .. image:: payload-keywords/isdataat1.png
 
+absolute vs relative values
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The absolute ``isdataat`` checks will succeed if the offset used is
+**less than** the size of the inspection buffer.
+
+For *relative* ``isdataat`` checks, there is a **1 byte difference** vs
+the absolute handling.
+
+Matching will succeed if the relative offset is **less than or equal to**
+the size of the inspection buffer. This is different from absolute
+``isdataat`` checks.
+
+As an example, consider a 32 byte payload:
+
++---------------------------+--------+
+| rule statement            | Match? |
++---------------------------+--------+
+| ``isdataat:31;``          | Yes    |
++---------------------------+--------+
+| ``isdataat:32;``          | No     |
++---------------------------+--------+
+| ``isdataat:31,relative;`` | Yes    |
++---------------------------+--------+
+| ``isdataat:32,relative;`` | Yes    |
++---------------------------+--------+
+| ``isdataat:33,relative;`` | No     |
++---------------------------+--------+
+
+A discussion of this difference can be found at
+https://redmine.openinfosecfoundation.org/issues/8031
+
 absent
 ------