diff --git a/etc/schema.json b/etc/schema.json
index 55dca8fb25..561d1aba7b 100644
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -2021,6 +2021,10 @@
                 "hook": {
                     "type": "string",
                     "description": "Firewall hook for the match"
+                },
+                "policy": {
+                    "type": "string",
+                    "description": "Firewall actions for the match (from rule or default policy)"
                 }
             }
         },
diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index ee018aa122..74263b0508 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@@ -40,6 +40,7 @@
 #include "util-misc.h"
 #include "util-time.h"
 
+#include "detect-parse.h"
 #include "detect-engine.h"
 #include "detect-metadata.h"
 #include "app-layer-parser.h"
@@ -647,6 +648,49 @@ static bool AlertJsonStreamData(const AlertJsonOutputCtx *json_output_ctx, JsonA
     return false;
 }
 
+static void AlertJsonAddFirewall(SCJsonBuilder *jb, const Signature *s)
+{
+    struct DetectFirewallPolicy pol = { .action = s->action, .action_scope = s->action_scope };
+
+    SCJbOpenObject(jb, "firewall");
+    const char *hook = NULL;
+    char hook_string[256];
+    switch (s->detect_table) {
+        case DETECT_TABLE_APP_FILTER:
+            if (s->flags & SIG_FLAG_TOSERVER) {
+                hook = AppLayerParserGetStateNameById(
+                        IPPROTO_TCP, s->alproto, s->app_progress_hook, STREAM_TOSERVER);
+            } else {
+                hook = AppLayerParserGetStateNameById(
+                        IPPROTO_TCP, s->alproto, s->app_progress_hook, STREAM_TOCLIENT);
+            }
+            if (hook) {
+                snprintf(hook_string, sizeof(hook_string), "%s:%s", AppProtoToString(s->alproto),
+                        hook);
+                hook = hook_string;
+            }
+            break;
+        case DETECT_TABLE_PACKET_FILTER:
+            hook = "packet:filter";
+            break;
+        case DETECT_TABLE_PACKET_PRE_FLOW:
+            hook = "packet:pre_flow";
+            break;
+        case DETECT_TABLE_PACKET_PRE_STREAM:
+            hook = "packet:pre_stream";
+            break;
+    }
+    if (hook) {
+        SCJbSetString(jb, "hook", hook);
+    }
+    char policy_string[64] = "";
+    DetectFirewallPolicyToString(&pol, policy_string, sizeof(policy_string));
+    if (strlen(policy_string) > 0) {
+        SCJbSetString(jb, "policy", policy_string);
+    }
+    SCJbClose(jb);
+}
+
 static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
 {
     AlertJsonOutputCtx *json_output_ctx = aft->json_output_ctx;
@@ -711,6 +755,10 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             AlertJsonTunnel(p, jb, &json_output_ctx->eve_ctx->cfg);
         }
 
+        if (pa->s->flags & SIG_FLAG_FIREWALL) {
+            AlertJsonAddFirewall(jb, pa->s);
+        }
+
         if (p->flow != NULL) {
             if (pa->flags & PACKET_ALERT_FLAG_TX) {
                 if (json_output_ctx->flags & LOG_JSON_APP_LAYER) {