diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
index 96b8f0518a..e93e8c467b 100644
--- a/doc/userguide/upgrade.rst
+++ b/doc/userguide/upgrade.rst
@@ -45,6 +45,7 @@ Logging changes
 ~~~~~~~~~~~~~~~
 - IKEv2 Eve logging changed, the event_type has become ``ike``. The fields ``errors`` and ``notify`` have moved to
   ``ike.ikev2.errors`` and ``ike.ikev2.notify``.
+- FTP DATA metadata for alerts are now logged in ``ftp_data`` instead of root.
 
 Other changes
 ~~~~~~~~~~~~~
diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 0ebe6fe0c1..50d9bc216d 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -519,7 +519,10 @@ static void AlertAddAppLayer(const Packet *p, JsonBuilder *jb,
             }
             break;
         case ALPROTO_FTPDATA:
+            jb_get_mark(jb, &mark);
+            jb_open_object(jb, "ftp_data");
             EveFTPDataAddMetadata(p->flow, jb);
+            jb_close(jb);
             break;
         case ALPROTO_DNP3:
             AlertJsonDnp3(p->flow, tx_id, jb);