doc: Add ftp.command sticky buffer

Issue: 7502 This commit documents the new FTP sticky buffer "ftp.command".
OISF · Jan 26, 2025 · 53abe1e · 53abe1e
1 parent b662feb
commit 53abe1e
Showing 1 changed file with 27 additions and 1 deletion.
diff --git a/doc/userguide/rules/ftp-keywords.rst b/doc/userguide/rules/ftp-keywords.rst
@@ -44,4 +44,30 @@ Signature Example:
   :example-rule-options:`file.name; content:"file.txt";` \
   classtype:bad-unknown; sid:1; rev:1;)
 
-For additional information on the ``file.name`` keyword, see :doc:`file-keywords`.
+For additional information on the ``file.name`` keyword, see :doc:`file-keywords`.
+
+ftp.command
+-----------
+
+This keyword matches on the command name from a FTP client request. ``ftp.command``
+is a sticky buffer and can be used as a fast pattern.
+
+Syntax::
+
+  ftp.command; content: <command>;
+
+Signature Example:
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (:example-rule-options:`ftp.command; content:"PASS";` sid: 1;)
+
+Examples of commands are:
+
+* USER
+* PASS
+* PORT
+* EPRT
+* PASV
+* RETR
+