diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index 51784a24cd..f51fa543d6 100644
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -253,12 +253,16 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
 
             /* set verdict on packet */
             p->action |= p->alerts.alerts[i].action;
+
             if (p->alerts.alerts[i].action & ACTION_PASS) {
                 /* Ok, reset the alert cnt to end in the previous of pass
                  * so we ignore the rest with less prio */
                 p->alerts.cnt = i;
                 break;
-            } else if ( ((p->alerts.alerts[i].flags & PACKET_ALERT_FLAG_DROP_FLOW) ||
+            /* if the signature wants to drop, check if the
+             * PACKET_ALERT_FLAG_DROP_FLOW flag is set. */
+            } else if (p->alerts.alerts[i].action & ACTION_DROP &&
+                    ((p->alerts.alerts[i].flags & PACKET_ALERT_FLAG_DROP_FLOW) ||
                          (s->flags & SIG_FLAG_APPLAYER))
                        && p->flow != NULL)
             {