From f5ad6a209527ba6df554f6c3334f2392afcaed04 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Tue, 6 Jun 2017 18:35:48 +0200
Subject: [PATCH] doc: document target keyword

---
 doc/userguide/rules/meta.rst | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/doc/userguide/rules/meta.rst b/doc/userguide/rules/meta.rst
index 7132f2dff6..15edb28616 100644
--- a/doc/userguide/rules/meta.rst
+++ b/doc/userguide/rules/meta.rst
@@ -179,3 +179,20 @@ keyword because it is part of the signature language.  The format is:
 ::
 
   metadata:......;
+
+Target
+------
+
+The target keyword allows the rules writer to specify which side of the
+alert is the target of the attack. If specified, the alert event is enhanced
+to contain information about source and target.
+
+The format is:
+
+::
+
+ target: [src_ip|dest_ip]
+
+If the value is src_ip then the source IP in the generated event (src_ip
+field in JSON) is the target of the attack. If target is set to dest_ip
+then the target is the destination IP in the generated event.