diff --git a/doc/userguide/rules/meta.rst b/doc/userguide/rules/meta.rst
index 7132f2dff6..15edb28616 100644
--- a/doc/userguide/rules/meta.rst
+++ b/doc/userguide/rules/meta.rst
@@ -179,3 +179,20 @@ keyword because it is part of the signature language.  The format is:
 ::
 
   metadata:......;
+
+Target
+------
+
+The target keyword allows the rules writer to specify which side of the
+alert is the target of the attack. If specified, the alert event is enhanced
+to contain information about source and target.
+
+The format is:
+
+::
+
+ target: [src_ip|dest_ip]
+
+If the value is src_ip then the source IP in the generated event (src_ip
+field in JSON) is the target of the attack. If target is set to dest_ip
+then the target is the destination IP in the generated event.