diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c
index 2f5cfe6837..29c0a94131 100644
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@@ -1962,7 +1962,8 @@ int SigPrepareStage2(DetectEngineCtx *de_ctx)
         }
 
         /* add ethernet sigs and decoder events to the ethernet sgh */
-        if ((s->type == SIG_TYPE_PKT && SigIsEthernetAddToNonIP(s)) || s->type == SIG_TYPE_DEONLY) {
+        if ((s->type == SIG_TYPE_PKT && SigIsEthernetAddToNonIP(s)) || s->type == SIG_TYPE_DEONLY ||
+                (s->init_data->proto.flags & DETECT_PROTO_L2_ANY)) {
             // ethernet
             SCLogNotice("rule: %u: add to non-IP", s->id);
             DetectEngineAddEthernetSig(de_ctx, s);
diff --git a/src/detect-engine-proto.c b/src/detect-engine-proto.c
index 4f6305faa9..b162136d88 100644
--- a/src/detect-engine-proto.c
+++ b/src/detect-engine-proto.c
@@ -65,7 +65,7 @@ struct {
     { "ipv6", 0, 0, DETECT_PROTO_IPV6 | DETECT_PROTO_ANY, },
     { "ip6", 0, 0, DETECT_PROTO_IPV6 | DETECT_PROTO_ANY, },
     { "ip", 0, 0, DETECT_PROTO_ANY, },
-    { "pkthdr", 0, 0, DETECT_PROTO_ANY, },
+    { "pkthdr", 0, 0, DETECT_PROTO_L2_ANY, },
     { "ether", 0, 0, DETECT_PROTO_ETHERNET, },
     { "arp", 0, 0, DETECT_PROTO_ARP | DETECT_PROTO_ETHERNET, },
     // clang-format on
@@ -114,7 +114,7 @@ int DetectProtoParse(DetectProto *dp, const char *str)
  *  \retval 1 protocol is in the set */
 int DetectProtoContainsProto(const DetectProto *dp, int proto)
 {
-    if (dp == NULL || dp->flags & DETECT_PROTO_ANY)
+    if (dp == NULL || dp->flags & (DETECT_PROTO_ANY | DETECT_PROTO_L2_ANY))
         return 1;
 
     if (dp->proto[proto / 8] & (1<<(proto % 8)))
@@ -132,7 +132,7 @@ int DetectProtoContainsProto(const DetectProto *dp, int proto)
  *  \retval true protocol is in the set */
 bool DetectProtoHasExplicitProto(const DetectProto *dp, const uint8_t proto)
 {
-    if (dp == NULL || dp->flags & DETECT_PROTO_ANY)
+    if (dp == NULL || dp->flags & (DETECT_PROTO_ANY | DETECT_PROTO_L2_ANY))
         return false;
 
     return ((dp->proto[proto / 8] & (1 << (proto % 8))));
diff --git a/src/detect-engine-proto.h b/src/detect-engine-proto.h
index b73566b56e..f57a877cc4 100644
--- a/src/detect-engine-proto.h
+++ b/src/detect-engine-proto.h
@@ -32,6 +32,7 @@
 #define DETECT_PROTO_IPV6              BIT_U8(4) /**< IPv6 only */
 #define DETECT_PROTO_ETHERNET          BIT_U8(5) /**< Like ANY, but for Ethernet */
 #define DETECT_PROTO_ARP               BIT_U8(6) /**< ARP packets over for Ethernet, can have VLAN(s) in between */
+#define DETECT_PROTO_L2_ANY            BIT_U8(7) /**< Like ANY, but for any L2 proto. */
 // clang-format on
 
 typedef struct DetectProto_ {