diff --git a/rules/Makefile.am b/rules/Makefile.am
index 98a484d3a5..daa8d67e52 100644
--- a/rules/Makefile.am
+++ b/rules/Makefile.am
@@ -8,4 +8,5 @@ tls-events.rules \
 modbus-events.rules \
 app-layer-events.rules \
 files.rules \
-dnp3-events.rules
+dnp3-events.rules \
+ntp-events.rules
diff --git a/rules/ntp-events.rules b/rules/ntp-events.rules
new file mode 100644
index 0000000000..fe70337b43
--- /dev/null
+++ b/rules/ntp-events.rules
@@ -0,0 +1,8 @@
+# NTP app layer event rules
+#
+# SID's fall in the 2222000+ range. See https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer
+#
+# These sigs fire at most once per connection.
+#
+alert ntp any any -> any any (msg:"SURICATA NTP malformed request data"; flow:to_server; app-layer-event:ntp.malformed_data; classtype:protocol-command-decode; sid:2222000; rev:1;)
+alert ntp any any -> any any (msg:"SURICATA NTP malformed response data"; flow:to_client; app-layer-event:ntp.malformed_data; classtype:protocol-command-decode; sid:2222001; rev:1;)