From 879a733c12cabad99ca278293bee65ba33500f37 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 26 Mar 2025 16:21:56 +0100
Subject: [PATCH] doc/http2: explicit behavior for some http keywords

HTTP/2 does not define a way to carry the version or reason phrase
that is included in an HTTP/1.1 status line.

Ticket: 6548
---
 doc/userguide/rules/http-keywords.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index a453846bcb..a26d3cacb0 100644
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -796,6 +796,9 @@ http.stat_msg
 The ``http.stat_msg`` keyword is used to match on the HTTP status message
 that can be present in an HTTP response.
 
+For HTTP/2, an empty buffer is returned by Suricata.
+See rfc 7540 section 8.1.2.4. about Response Pseudo-Header Fields.
+
 It is possible to use any of the :doc:`payload-keywords` with the
 ``http.stat_msg`` keyword.
 
@@ -1216,6 +1219,9 @@ http.protocol
 The ``http.protocol`` keyword is used to match on the protocol field that is
 contained in HTTP requests and responses.
 
+For HTTP/2, the constant string "HTTP/2" is used.
+See rfc 7540 section 8.1.2.4. about Response Pseudo-Header Fields.
+
 It is possible to use any of the :doc:`payload-keywords` with the
 ``http.protocol`` keyword.
 
-- 
2.47.2