diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst
index 710225aabc..99f1b3f3a9 100644
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -2528,6 +2528,8 @@ flow. Some of the possible request messages are:
 * "startup_message": message sent to start a new PostgreSQL connection
 * "password_message": if password output for PGSQL is enabled in suricata.yaml,
   carries the password sent during Authentication phase
+* "password_redacted": set to true in case there is a password message, but its
+  logging is disabled
 * "simple_query": issued SQL command during simple query subprotocol. PostgreSQL
   identifies specific sets of commands that change the set of expected messages
   to be exchanged as subprotocols.
diff --git a/etc/schema.json b/etc/schema.json
index 208ebc7030..58252008f3 100644
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -3663,6 +3663,10 @@
                         "password_message": {
                             "type": "string"
                         },
+                        "password_redacted": {
+                            "type": "boolean",
+                            "description": "indicates if a password message was received but not logged due to Suricata settings"
+                        },
                         "process_id": {
                             "type": "integer"
                         },
diff --git a/rust/src/pgsql/logger.rs b/rust/src/pgsql/logger.rs
index ae28101431..7bb5b4d8b3 100644
--- a/rust/src/pgsql/logger.rs
+++ b/rust/src/pgsql/logger.rs
@@ -81,6 +81,8 @@ fn log_request(req: &PgsqlFEMessage, flags: u32) -> Result<JsonBuilder, JsonErro
         }) => {
             if flags & PGSQL_LOG_PASSWORDS != 0 {
                 js.set_string_from_bytes("password", payload)?;
+            } else {
+                js.set_bool("password_redacted", true)?;
             }
         }
         PgsqlFEMessage::SASLResponse(RegularPacket {
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 7794cf348f..972de0687e 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -360,6 +360,8 @@ outputs:
         - pgsql:
             enabled: no
             # passwords: yes           # enable output of passwords. Disabled by default
+                                       # If a password message is seen but this setting
+                                       # is disabled, "password_redacted": true is logged
         - stats:
             totals: yes       # stats for all threads merged together
             threads: no       # per thread stats