diff --git a/contrib/ossec-testing/tests/su.ini b/contrib/ossec-testing/tests/su.ini
index 7fb2ae668..99aa2acb6 100644
--- a/contrib/ossec-testing/tests/su.ini
+++ b/contrib/ossec-testing/tests/su.ini
@@ -18,8 +18,8 @@ alert = 5
 decoder = su
 
 
-[su: work]
+[su: work fts]
 log 1 pass = Apr 22 17:51:51 enigma su: dcid to root on /dev/ttyp1
-rule = 5303
-alert = 3
+rule = 5305
+alert = 4
 decoder = su
diff --git a/etc/decoder.xml b/etc/decoder.xml
index 0185fc144..e882ce782 100755
--- a/etc/decoder.xml
+++ b/etc/decoder.xml
@@ -496,8 +496,16 @@ Jan  8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with ke
   <order>user</order>
 </decoder>
 
+<decoder name="su">
+  <prematch>^SU \S+ \S+ </prematch>
+  <regex offset="after_prematch">^\S \S+ (\S+)-(\S+)$</regex>
+  <order>srcuser, dstuser</order>
+  <fts>name, srcuser, location</fts>
+</decoder>
+
 <decoder name="su-detail2">
   <parent>su</parent>
+  <prematch> </prematch>
   <regex>^BAD SU (\S+) to (\S+) on|</regex>
   <regex>^failed: \S+ changing from (\S+) to (\S+)|</regex>
   <regex>^\S \S+ (\S+)\p(\S+)$|^(\S+) to (\S+) on </regex>
@@ -505,13 +513,6 @@ Jan  8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with ke
   <fts>name, srcuser, location</fts>
 </decoder>
 
-<decoder name="su">
-  <prematch>^SU \S+ \S+ </prematch>
-  <regex offset="after_prematch">^\S \S+ (\S+)-(\S+)$</regex>
-  <order>srcuser, dstuser</order>
-  <fts>name, srcuser, location</fts>
-</decoder>
-
 
 
 <!-- ProFTPD decoder.