doc/decode-events: new: unknown event description

Issue: 7129

Document the unknown ethertype event.

doc/userguide/rules/decode-layer.rst

@@ -0,0 +1,42 @@
+Generic Decode Layer Keywords
+=============================
+
+decode-event
+------------
+
+Match on events generated by the decode layer. Decode events are generated during
+the packet decoding phase that indicate structural or invalid values for the
+Ethernet and layer 2 and layer 3 protocol data.
+
+Syntax::
+
+  decode-event:<event name>;
+
+Examples::
+
+    decode-event:ipv4.opt_duplicate
+    decode-event:ethernet.unknown_ethertype
+
+Decode Events
+~~~~~~~~~~~~~
+
+ethernet.unknown_ethertype
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The ethertype value was not recognized by Suricata. Suricata recognizes
+the following ethertype values::
+
+ ETHERNET_TYPE_IP
+ ETHERNET_TYPE_IPV6
+ ETHERNET_TYPE_VLAN
+ ETHERNET_TYPE_8021QINQ
+ ETHERNET_TYPE_8021AD
+ ETHERNET_TYPE_8021AH
+ ETHERNET_TYPE_ARP
+ ETHERNET_TYPE_MPLS_UNICAST
+ ETHERNET_TYPE_MPLS_MULTICAST
+ ETHERNET_TYPE_DCE
+ ETHERNET_TYPE_VNTAG
+ ETHERNET_TYPE_NSH
+ ETHERNET_TYPE_PPOE_SESS
+ ETHERNET_TYPE_PPOE_DISC

doc/userguide/rules/index.rst

@@ -38,6 +38,7 @@ Suricata Rules
    smtp-keywords
    websocket-keywords
    app-layer
+   decode-layer
    xbits
    noalert
    thresholding