doc/ftp: Document the ftp.reply keyword

Issue: 7508

doc/userguide/rules/ftp-keywords.rst

@@ -49,7 +49,7 @@ For additional information on the ``file.name`` keyword, see :doc:`file-keywords
 ftp.command
 -----------
 
-This keyword matches on the command name from a FTP client request. ``ftp.command``
+This keyword matches on the command name from an FTP client request. ``ftp.command``
 is a sticky buffer and can be used as a fast pattern.
 
 Syntax::
@@ -95,7 +95,6 @@ examples::
     RETR temp.txt
     PORT 192,168,0,13,234,10
 
-
 Example rules for each of the preceding FTP commands and command data.
 
 .. container:: example-rule
@@ -114,3 +113,34 @@ Example rules for each of the preceding FTP commands and command data.
 
   alert ftp any any -> any any (:example-rule-options:`ftp.command_data; content:"192,168,0,13,234,10";` sid: 3;)
 
+ftp.reply
+---------
+
+This keyword matches on an FTP reply string. Note that there may be multiple reply strings for
+an FTP command. ``ftp.reply`` is a sticky buffer and can be used as a fast pattern. Do not
+include the completion code in the `content` to match upon (see examples).
+
+Syntax::
+
+  ftp.reply; content: <reply-string>;
+  alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Please specify the password.";` sid: 1;)
+
+.. note ::
+   FTP commands can return multiple reply strings. Specify a single reply for each ``ftp.reply`` keyword.
+
+This example shows an FTP command (``RETR``) followed by an FTP reply with multiple response strings.
+::
+
+    RETR temp.txt
+    150 Opening BINARY mode data connection for temp.txt (1164 bytes).
+    226 Transfer complete.
+
+Signature Example:
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Opening BINARY mode data connection for temp.";` sid: 1;)
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Transfer complete.";` sid: 2;)