From 53abe1e5d7fbf7b124a1e7619021e474961e11cd Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Mon, 20 Jan 2025 10:37:08 -0500
Subject: [PATCH] doc: Add ftp.command sticky buffer

Issue: 7502

This commit documents the new FTP sticky buffer "ftp.command".
---
 doc/userguide/rules/ftp-keywords.rst | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/doc/userguide/rules/ftp-keywords.rst b/doc/userguide/rules/ftp-keywords.rst
index d93451684486..1f45e12d52b6 100644
--- a/doc/userguide/rules/ftp-keywords.rst
+++ b/doc/userguide/rules/ftp-keywords.rst
@@ -44,4 +44,30 @@ Signature Example:
   :example-rule-options:`file.name; content:"file.txt";` \
   classtype:bad-unknown; sid:1; rev:1;)
 
-For additional information on the ``file.name`` keyword, see :doc:`file-keywords`.
\ No newline at end of file
+For additional information on the ``file.name`` keyword, see :doc:`file-keywords`.
+
+ftp.command
+-----------
+
+This keyword matches on the command name from a FTP client request. ``ftp.command``
+is a sticky buffer and can be used as a fast pattern.
+
+Syntax::
+
+  ftp.command; content: <command>;
+
+Signature Example:
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (:example-rule-options:`ftp.command; content:"PASS";` sid: 1;)
+
+Examples of commands are:
+
+* USER
+* PASS
+* PORT
+* EPRT
+* PASV
+* RETR
+