doc: update following ftp-data changes

doc/userguide/file-extraction/file-extraction.rst

@@ -4,9 +4,9 @@ File Extraction
 Architecture
 ~~~~~~~~~~~~
 
-The file extraction code works on top of the HTTP and SMTP parsers. The HTTP parser takes care of dechunking and unzipping the request and/or response data if necessary. The HTTP/SMTP parsers runs on top of the stream reassembly engine.
+The file extraction code works on top of the HTTP, SMTP, NFS and NTP parsers. The HTTP parser takes care of dechunking and unzipping the request and/or response data if necessary. The application layer parsers runs on top of the stream reassembly engine.
 
-This means that settings in the stream engine, reassembly engine and the HTTP parser all affect the workings of the file extraction.
+This means that settings in the stream engine, reassembly engine and the application layer parser all affect the workings of the file extraction.
 
 What files are actually extracted and stored to disk is controlled by the rule language.
 

doc/userguide/rules/ftp-keywords.rst

@@ -0,0 +1,31 @@
+FTP/FTP-DATA Keywords
+=====================
+
+ftpdata_command
+---------------
+
+Filter ftp-data channel based on command used on the FTP command channel.
+Currently supported commands are RETR (get on a file) and STOR (put on a
+file).
+
+Syntax::
+
+  ftpdata_command:(retr|stor)
+
+Examples::
+
+  ftpdata_command:retr
+  ftpdata_command:stor
+
+Signature example::
+
+ alert ftp-data any any -> any any (msg:"FTP store password"; filestore; filename:"password"; ftpdata_command:stor; sid:3; rev:1;)
+
+ftpbounce
+---------
+
+Detect FTP bounce attacks.
+
+Syntax::
+
+  ftpbounce

doc/userguide/rules/index.rst

@@ -16,6 +16,7 @@ Suricata Rules
    modbus-keyword
    dnp3-keywords
    enip-keyword
+   ftp-keywords
    app-layer
    xbits
    thresholding