diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
index 34aadc961e24..10c9577ec2f1 100644
--- a/doc/userguide/upgrade.rst
+++ b/doc/userguide/upgrade.rst
@@ -46,6 +46,7 @@ Logging changes
 - IKEv2 Eve logging changed, the event_type has become ``ike``. The fields ``errors`` and ``notify`` have moved to
   ``ike.ikev2.errors`` and ``ike.ikev2.notify``.
 - FTP DATA metadata for alerts are now logged in ``ftp_data`` instead of root.
+- Alert ``xff`` field is now logged as ``alert.xff`` for alerts instead of at the root.
 
 Other changes
 ~~~~~~~~~~~~~
diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 0465184fb690..5c71557dabfc 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -338,8 +338,8 @@ static void AlertJsonMetadata(AlertJsonOutputCtx *json_output_ctx,
     }
 }
 
-void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa,
-        JsonBuilder *js, uint16_t flags, JsonAddrInfo *addr)
+void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuilder *js,
+        uint16_t flags, JsonAddrInfo *addr, char *xff_buffer)
 {
     AlertJsonOutputCtx *json_output_ctx = (AlertJsonOutputCtx *)ctx;
     const char *action = "allowed";
@@ -390,6 +390,9 @@ void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa,
     if (flags & LOG_JSON_RULE) {
         jb_set_string(js, "rule", pa->s->sig_str);
     }
+    if (xff_buffer && xff_buffer[0]) {
+        jb_set_string(js, "xff", xff_buffer);
+    }
 
     jb_close(js);
 }
@@ -650,6 +653,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             json_output_ctx->xff_cfg : json_output_ctx->parent_xff_cfg;;
         int have_xff_ip = 0;
         char xff_buffer[XFF_MAXLEN];
+        xff_buffer[0] = 0;
         if ((xff_cfg != NULL) && !(xff_cfg->flags & XFF_DISABLED) && p->flow != NULL) {
             if (FlowGetAppProtocol(p->flow) == ALPROTO_HTTP1) {
                 if (pa->flags & PACKET_ALERT_FLAG_TX) {
@@ -671,6 +675,10 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
                  * logged below. */
                 have_xff_ip = false;
             }
+            if (have_xff_ip && !(xff_cfg->flags & XFF_EXTRADATA)) {
+                // reset xff_buffer so as not to log it
+                xff_buffer[0] = 0;
+            }
         }
 
         JsonBuilder *jb =
@@ -680,8 +688,7 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
 
 
         /* alert */
-        AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags,
-                &addr);
+        AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, &addr, xff_buffer);
 
         if (IS_TUNNEL_PKT(p)) {
             AlertJsonTunnel(p, jb);
@@ -759,10 +766,6 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             EvePacket(p, jb, 0);
         }
 
-        if (have_xff_ip && xff_cfg->flags & XFF_EXTRADATA) {
-            jb_set_string(jb, "xff", xff_buffer);
-        }
-
         OutputJsonBuilderBuffer(jb, aft->ctx);
         jb_free(jb);
     }
@@ -805,7 +808,7 @@ static int AlertJsonDecoderEvent(ThreadVars *tv, JsonAlertLogThread *aft, const
         /* just the timestamp, no tuple */
         jb_set_string(jb, "timestamp", timebuf);
 
-        AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, NULL);
+        AlertJsonHeader(json_output_ctx, p, pa, jb, json_output_ctx->flags, NULL, NULL);
 
         OutputJsonBuilderBuffer(jb, aft->ctx);
         jb_free(jb);
diff --git a/src/output-json-alert.h b/src/output-json-alert.h
index 879e39919fff..0a5af4268a09 100644
--- a/src/output-json-alert.h
+++ b/src/output-json-alert.h
@@ -29,7 +29,7 @@
 
 void JsonAlertLogRegister(void);
 void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuilder *js,
-                     uint16_t flags, JsonAddrInfo *addr);
+        uint16_t flags, JsonAddrInfo *addr, char *xff_buffer);
 
 #endif /* __OUTPUT_JSON_ALERT_H__ */
 
diff --git a/src/output-json-drop.c b/src/output-json-drop.c
index 83e16be8284a..b2b5925e0a63 100644
--- a/src/output-json-drop.c
+++ b/src/output-json-drop.c
@@ -155,7 +155,7 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
             if ((pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) ||
                ((pa->action & ACTION_DROP) && EngineModeIsIPS()))
             {
-                AlertJsonHeader(NULL, p, pa, js, 0, &addr);
+                AlertJsonHeader(NULL, p, pa, js, 0, &addr, NULL);
                 logged = 1;
                 break;
             }
@@ -163,7 +163,7 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
         if (logged == 0) {
             if (p->alerts.drop.action != 0) {
                 const PacketAlert *pa = &p->alerts.drop;
-                AlertJsonHeader(NULL, p, pa, js, 0, &addr);
+                AlertJsonHeader(NULL, p, pa, js, 0, &addr, NULL);
             }
         }
     }