diff --git a/tests/test-valid-json/pawpatrules.rules b/tests/test-valid-json/pawpatrules.rules
new file mode 100644
index 000000000..e41fa7890
--- /dev/null
+++ b/tests/test-valid-json/pawpatrules.rules
@@ -0,0 +1 @@
+alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Possible Windows Installer or Bitsadmin TLSv1.2 connection to FQDN - T1105"; flow:to_server, stateless; ja3.hash; content:"bd0bf25947d4a37404f0424edf4db9ad"; fast_pattern; tls_sni; content:!"microsoft.com"; endswith; nocase; content:!"live.com"; endswith; nocase; content:!"google.com"; endswith; nocase; content:!".ms"; endswith; nocase; content:!"libreoffice.org"; endswith; nocase; content:!"skype.com"; endswith; nocase; content:!"windows.net"; endswith; nocase; content:!"googleapis.com"; endswith; nocase; content:!"office.com"; endswith; nocase; content:!"azureedge.net"; endswith; nocase; content:!"sophosupd.com"; endswith; nocase; content:!"sophosxl.net"; endswith; nocase; content:!"sophos.com"; endswith; nocase; content:!"office.net"; endswith; nocase; content:!"jive.com"; endswith; nocase; content:!"adobe.com"; endswith; nocase; content:!"avast.com"; endswith; nocase; content:!"mozilla.org"; endswith; nocase; content:!".microsoft"; nocase; endswith; content:!".gvt1.com"; nocase; endswith; content:!".msedge.net"; nocase; endswith; content:!".msn.com"; nocase; endswith; content:!".microsoftonline.com"; nocase; endswith; content:!".windows.com"; nocase; endswith; content:!".bing.com"; nocase; endswith; content:!".mozilla.net; nocase; endswith; reference:url,https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/#download; reference:url,https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/#download; reference:url,https://www.senseon.io/resource/resurgent-usb-malware-battling-raspberry-robin/; target:src_ip; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer, created_at 2023_05_18, updated_at 2024_09_05; sid:3300209; rev:18; classtype:policy-violation;)
diff --git a/tests/test-valid-json/suricata.yaml b/tests/test-valid-json/suricata.yaml
new file mode 100644
index 000000000..c2fa64e94
--- /dev/null
+++ b/tests/test-valid-json/suricata.yaml
@@ -0,0 +1,16 @@
+%YAML 1.1
+---
+
+logging:
+  default-log-level: info
+  outputs:
+  - file:
+      enabled: yes
+      filename: eve.json
+      type: json
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    EXTERNAL_NET: "!$HOME_NET"
diff --git a/tests/test-valid-json/test.yaml b/tests/test-valid-json/test.yaml
new file mode 100644
index 000000000..e49b1bb9c
--- /dev/null
+++ b/tests/test-valid-json/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  min-version: 8
+
+args:
+  - -T
+
+pcap: false
+
+exit-code: 1
+
+checks:
+  # check that we have the following entries in eve.json
+  # match rule load failure reason as it is super long
+  - filter:
+      count: 2
+      match:
+        event_type: engine
+        engine.module: detect
+