From f5ba4c231de27e7b0d9f66177877725c7979294a Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Sun, 19 Nov 2017 20:22:46 +0100
Subject: [PATCH] doc: update following ftp-data changes

---
 .../file-extraction/file-extraction.rst       |  4 +--
 doc/userguide/rules/ftp-keywords.rst          | 31 +++++++++++++++++++
 doc/userguide/rules/index.rst                 |  1 +
 3 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 doc/userguide/rules/ftp-keywords.rst

diff --git a/doc/userguide/file-extraction/file-extraction.rst b/doc/userguide/file-extraction/file-extraction.rst
index a85567bf42..dd6d484300 100644
--- a/doc/userguide/file-extraction/file-extraction.rst
+++ b/doc/userguide/file-extraction/file-extraction.rst
@@ -4,9 +4,9 @@ File Extraction
 Architecture
 ~~~~~~~~~~~~
 
-The file extraction code works on top of the HTTP and SMTP parsers. The HTTP parser takes care of dechunking and unzipping the request and/or response data if necessary. The HTTP/SMTP parsers runs on top of the stream reassembly engine.
+The file extraction code works on top of the HTTP, SMTP, NFS and NTP parsers. The HTTP parser takes care of dechunking and unzipping the request and/or response data if necessary. The application layer parsers runs on top of the stream reassembly engine.
 
-This means that settings in the stream engine, reassembly engine and the HTTP parser all affect the workings of the file extraction.
+This means that settings in the stream engine, reassembly engine and the application layer parser all affect the workings of the file extraction.
 
 What files are actually extracted and stored to disk is controlled by the rule language.
 
diff --git a/doc/userguide/rules/ftp-keywords.rst b/doc/userguide/rules/ftp-keywords.rst
new file mode 100644
index 0000000000..068b14e33c
--- /dev/null
+++ b/doc/userguide/rules/ftp-keywords.rst
@@ -0,0 +1,31 @@
+FTP/FTP-DATA Keywords
+=====================
+
+ftpdata_command
+---------------
+
+Filter ftp-data channel based on command used on the FTP command channel.
+Currently supported commands are RETR (get on a file) and STOR (put on a
+file).
+
+Syntax::
+
+  ftpdata_command:(retr|stor)
+
+Examples::
+
+  ftpdata_command:retr
+  ftpdata_command:stor
+
+Signature example::
+
+ alert ftp-data any any -> any any (msg:"FTP store password"; filestore; filename:"password"; ftpdata_command:stor; sid:3; rev:1;)
+
+ftpbounce
+---------
+
+Detect FTP bounce attacks.
+
+Syntax::
+
+  ftpbounce
diff --git a/doc/userguide/rules/index.rst b/doc/userguide/rules/index.rst
index 6ddc079d9b..d7543ec288 100644
--- a/doc/userguide/rules/index.rst
+++ b/doc/userguide/rules/index.rst
@@ -16,6 +16,7 @@ Suricata Rules
    modbus-keyword
    dnp3-keywords
    enip-keyword
+   ftp-keywords
    app-layer
    xbits
    thresholding