diff --git a/tests/datajson/datajson-01-ip/input.pcap b/tests/datajson/datajson-01-ip/input.pcap
new file mode 100644
index 000000000..8fb6832de
Binary files /dev/null and b/tests/datajson/datajson-01-ip/input.pcap differ
diff --git a/tests/datajson/datajson-01-ip/src.lst b/tests/datajson/datajson-01-ip/src.lst
new file mode 100644
index 000000000..f44ad188c
--- /dev/null
+++ b/tests/datajson/datajson-01-ip/src.lst
@@ -0,0 +1 @@
+10.16.1.11,{"test": "success","context":3}
diff --git a/tests/datajson/datajson-01-ip/test.rules b/tests/datajson/datajson-01-ip/test.rules
new file mode 100644
index 000000000..6a94208f4
--- /dev/null
+++ b/tests/datajson/datajson-01-ip/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (flow:established,to_server; http.host; content:"testmyids.com"; ip.src; datajson:isset,src_ip,type ip,load src.lst,key src_ip; sid:1;)
diff --git a/tests/datajson/datajson-01-ip/test.yaml b/tests/datajson/datajson-01-ip/test.yaml
new file mode 100644
index 000000000..6dc740286
--- /dev/null
+++ b/tests/datajson/datajson-01-ip/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.src_ip.test: success
diff --git a/tests/datajson/datajson-02-multiple/host.lst b/tests/datajson/datajson-02-multiple/host.lst
new file mode 100644
index 000000000..f1b1a17a6
--- /dev/null
+++ b/tests/datajson/datajson-02-multiple/host.lst
@@ -0,0 +1 @@
+d3d3LnRlc3RteWlkcy5jb20=,{"context":"gold old test", "year": 2005}
diff --git a/tests/datajson/datajson-02-multiple/input.pcap b/tests/datajson/datajson-02-multiple/input.pcap
new file mode 100644
index 000000000..8fb6832de
Binary files /dev/null and b/tests/datajson/datajson-02-multiple/input.pcap differ
diff --git a/tests/datajson/datajson-02-multiple/src.lst b/tests/datajson/datajson-02-multiple/src.lst
new file mode 100644
index 000000000..f44ad188c
--- /dev/null
+++ b/tests/datajson/datajson-02-multiple/src.lst
@@ -0,0 +1 @@
+10.16.1.11,{"test": "success","context":3}
diff --git a/tests/datajson/datajson-02-multiple/test.rules b/tests/datajson/datajson-02-multiple/test.rules
new file mode 100644
index 000000000..acbf3045a
--- /dev/null
+++ b/tests/datajson/datajson-02-multiple/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load host.lst,key bad_host; ip.src; datajson:isset,src_ip,type ip,load src.lst,key src_ip; sid:1;)
diff --git a/tests/datajson/datajson-02-multiple/test.yaml b/tests/datajson/datajson-02-multiple/test.yaml
new file mode 100644
index 000000000..bad24cf2d
--- /dev/null
+++ b/tests/datajson/datajson-02-multiple/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.src_ip.test: success
+        alert.extra.bad_host.year: 2005
diff --git a/tests/datajson/datajson-04-hashes/badmd5.lst b/tests/datajson/datajson-04-hashes/badmd5.lst
new file mode 100644
index 000000000..390a1e659
--- /dev/null
+++ b/tests/datajson/datajson-04-hashes/badmd5.lst
@@ -0,0 +1 @@
+b65d49730d16e5a8a7b2ab95350848b8,{"year": 2007, "where": "home"}
diff --git a/tests/datajson/datajson-04-hashes/badsha.lst b/tests/datajson/datajson-04-hashes/badsha.lst
new file mode 100644
index 000000000..58bcade9d
--- /dev/null
+++ b/tests/datajson/datajson-04-hashes/badsha.lst
@@ -0,0 +1,2 @@
+e0ca4ff795b3f32d45260678e4ab79884793c05a149f2b350d10274451dc210a,{"year":2005,"where":"internet"}
+#E0CA4FF795B3F32D45260678E4AB79884793C05A149F2B350D10274451DC210A,{"year":2005,"where":"internet"}
diff --git a/tests/datajson/datajson-04-hashes/badsha1.lst b/tests/datajson/datajson-04-hashes/badsha1.lst
new file mode 100644
index 000000000..1cdea21c5
--- /dev/null
+++ b/tests/datajson/datajson-04-hashes/badsha1.lst
@@ -0,0 +1 @@
+6951a4eb86e09aac29a003a35ee4d6b4a8468a6e,{"year":2006,"where":"internet"}
diff --git a/tests/datajson/datajson-04-hashes/input.pcap b/tests/datajson/datajson-04-hashes/input.pcap
new file mode 100644
index 000000000..8fb6832de
Binary files /dev/null and b/tests/datajson/datajson-04-hashes/input.pcap differ
diff --git a/tests/datajson/datajson-04-hashes/test.rules b/tests/datajson/datajson-04-hashes/test.rules
new file mode 100644
index 000000000..af67a6908
--- /dev/null
+++ b/tests/datajson/datajson-04-hashes/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (flow:established,to_server; http.host; content: "testmyids"; to_sha256; datajson:isset,badcat,type sha256,load badsha.lst,key bad_sha; sid:1; rev:1;)
+alert http any any -> any any (flow:established,to_server; http.host; content: "testmyids"; to_md5; datajson:isset,badmd5,type md5,load badmd5.lst,key bad_md5; sid:2; rev:1;)
diff --git a/tests/datajson/datajson-04-hashes/test.yaml b/tests/datajson/datajson-04-hashes/test.yaml
new file mode 100644
index 000000000..716171874
--- /dev/null
+++ b/tests/datajson/datajson-04-hashes/test.yaml
@@ -0,0 +1,26 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.bad_sha.year: 2005
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        alert.extra.bad_md5.year: 2007
diff --git a/tests/datajson/datajson-05-duplicate/host.lst b/tests/datajson/datajson-05-duplicate/host.lst
new file mode 100644
index 000000000..d852cad3b
--- /dev/null
+++ b/tests/datajson/datajson-05-duplicate/host.lst
@@ -0,0 +1,2 @@
+d3d3LnRlc3RteWlkcy5jb20=,{"context":"good old test", "year": 2005}
+d3d3LnRlc3RteWlkcy5jb20=,{"context":"gold old test", "year": 2006}
diff --git a/tests/datajson/datajson-05-duplicate/input.pcap b/tests/datajson/datajson-05-duplicate/input.pcap
new file mode 100644
index 000000000..8fb6832de
Binary files /dev/null and b/tests/datajson/datajson-05-duplicate/input.pcap differ
diff --git a/tests/datajson/datajson-05-duplicate/src.lst b/tests/datajson/datajson-05-duplicate/src.lst
new file mode 100644
index 000000000..4993bc672
--- /dev/null
+++ b/tests/datajson/datajson-05-duplicate/src.lst
@@ -0,0 +1,2 @@
+10.16.1.11,{"test": "success","context":1}
+10.16.1.11,{"test": "fail","context":2}
diff --git a/tests/datajson/datajson-05-duplicate/test.rules b/tests/datajson/datajson-05-duplicate/test.rules
new file mode 100644
index 000000000..acbf3045a
--- /dev/null
+++ b/tests/datajson/datajson-05-duplicate/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load host.lst,key bad_host; ip.src; datajson:isset,src_ip,type ip,load src.lst,key src_ip; sid:1;)
diff --git a/tests/datajson/datajson-05-duplicate/test.yaml b/tests/datajson/datajson-05-duplicate/test.yaml
new file mode 100644
index 000000000..bad24cf2d
--- /dev/null
+++ b/tests/datajson/datajson-05-duplicate/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.src_ip.test: success
+        alert.extra.bad_host.year: 2005
diff --git a/tests/datajson/datajson-06-valid-json/host.lst b/tests/datajson/datajson-06-valid-json/host.lst
new file mode 100644
index 000000000..e184bf68b
--- /dev/null
+++ b/tests/datajson/datajson-06-valid-json/host.lst
@@ -0,0 +1 @@
+d3d3LnRlc3RteWlkcy5jb20=,"context"
diff --git a/tests/datajson/datajson-06-valid-json/input.pcap b/tests/datajson/datajson-06-valid-json/input.pcap
new file mode 100644
index 000000000..8fb6832de
Binary files /dev/null and b/tests/datajson/datajson-06-valid-json/input.pcap differ
diff --git a/tests/datajson/datajson-06-valid-json/ip.lst b/tests/datajson/datajson-06-valid-json/ip.lst
new file mode 100644
index 000000000..4d112f86e
--- /dev/null
+++ b/tests/datajson/datajson-06-valid-json/ip.lst
@@ -0,0 +1,2 @@
+10.16.1.12,1.2
+10.16.1.11,42
diff --git a/tests/datajson/datajson-06-valid-json/ip2.lst b/tests/datajson/datajson-06-valid-json/ip2.lst
new file mode 100644
index 000000000..19d54fd4e
--- /dev/null
+++ b/tests/datajson/datajson-06-valid-json/ip2.lst
@@ -0,0 +1 @@
+10.16.1.11,1.2
diff --git a/tests/datajson/datajson-06-valid-json/test.rules b/tests/datajson/datajson-06-valid-json/test.rules
new file mode 100644
index 000000000..599e42191
--- /dev/null
+++ b/tests/datajson/datajson-06-valid-json/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load host.lst,key bad_host; ip.src; datajson:isset,bip,type ipv6,load ip.lst,key ip; sid:1;)
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load host.lst,key bad_host; ip.src; datajson:isset,bip2,type ipv6,load ip2.lst,key ip; sid:2;)
diff --git a/tests/datajson/datajson-06-valid-json/test.yaml b/tests/datajson/datajson-06-valid-json/test.yaml
new file mode 100644
index 000000000..ace23cd1d
--- /dev/null
+++ b/tests/datajson/datajson-06-valid-json/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.ip: 42
+        alert.extra.bad_host: context
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        alert.extra.ip: 1.2
+        alert.extra.bad_host: context
diff --git a/tests/datajson/datajson-07-dataset/host.lst b/tests/datajson/datajson-07-dataset/host.lst
new file mode 100644
index 000000000..21cda8528
--- /dev/null
+++ b/tests/datajson/datajson-07-dataset/host.lst
@@ -0,0 +1 @@
+d3d3LnRlc3RteWlkcy5jb20=
diff --git a/tests/datajson/datajson-07-dataset/input.pcap b/tests/datajson/datajson-07-dataset/input.pcap
new file mode 100644
index 000000000..8fb6832de
Binary files /dev/null and b/tests/datajson/datajson-07-dataset/input.pcap differ
diff --git a/tests/datajson/datajson-07-dataset/ip.lst b/tests/datajson/datajson-07-dataset/ip.lst
new file mode 100644
index 000000000..81c6e5fbe
--- /dev/null
+++ b/tests/datajson/datajson-07-dataset/ip.lst
@@ -0,0 +1 @@
+10.16.1.11
diff --git a/tests/datajson/datajson-07-dataset/test.rules b/tests/datajson/datajson-07-dataset/test.rules
new file mode 100644
index 000000000..5513f03b2
--- /dev/null
+++ b/tests/datajson/datajson-07-dataset/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (flow:established,to_server; ip.src; datajson:isset,bip,type ipv6,load ip.lst,key ip; sid:1;)
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load host.lst,key bad_host; sid:2;)
diff --git a/tests/datajson/datajson-07-dataset/test.yaml b/tests/datajson/datajson-07-dataset/test.yaml
new file mode 100644
index 000000000..ea46efdcf
--- /dev/null
+++ b/tests/datajson/datajson-07-dataset/test.yaml
@@ -0,0 +1,10 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+exit-code: 1
diff --git a/tests/datajson/datajson-08-invalid-json/input.pcap b/tests/datajson/datajson-08-invalid-json/input.pcap
new file mode 100644
index 000000000..8fb6832de
Binary files /dev/null and b/tests/datajson/datajson-08-invalid-json/input.pcap differ
diff --git a/tests/datajson/datajson-08-invalid-json/ip.lst b/tests/datajson/datajson-08-invalid-json/ip.lst
new file mode 100644
index 000000000..12535c371
--- /dev/null
+++ b/tests/datajson/datajson-08-invalid-json/ip.lst
@@ -0,0 +1,2 @@
+10.16.1.12,42
+10.16.1.11,kjefe ef fef
diff --git a/tests/datajson/datajson-08-invalid-json/test.rules b/tests/datajson/datajson-08-invalid-json/test.rules
new file mode 100644
index 000000000..4de245d33
--- /dev/null
+++ b/tests/datajson/datajson-08-invalid-json/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (flow:established,to_server; ip.src; datajson:isset,bip,type ipv6,load ip.lst,key ip; sid:1;)
diff --git a/tests/datajson/datajson-08-invalid-json/test.yaml b/tests/datajson/datajson-08-invalid-json/test.yaml
new file mode 100644
index 000000000..ea46efdcf
--- /dev/null
+++ b/tests/datajson/datajson-08-invalid-json/test.yaml
@@ -0,0 +1,10 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+exit-code: 1
diff --git a/tests/datajson/datajson-09-jsonformat/hosts-direct.json b/tests/datajson/datajson-09-jsonformat/hosts-direct.json
new file mode 100644
index 000000000..c3ef34c9d
--- /dev/null
+++ b/tests/datajson/datajson-09-jsonformat/hosts-direct.json
@@ -0,0 +1 @@
+[ {"context":"gold old test", "year": 2005, "host": "www.testmyids.com"} ]
diff --git a/tests/datajson/datajson-09-jsonformat/hosts-nested-key.json b/tests/datajson/datajson-09-jsonformat/hosts-nested-key.json
new file mode 100644
index 000000000..df490606c
--- /dev/null
+++ b/tests/datajson/datajson-09-jsonformat/hosts-nested-key.json
@@ -0,0 +1,21 @@
+{
+  "info": {
+    "threat": [
+      {
+        "context": "gold old test",
+        "year": 2005,
+        "host": {
+          "fqdn": "www.testmyids.com",
+          "domain": "testmyids.com"
+        }
+      },
+      {
+        "context": "old test",
+        "year": 2023,
+        "host": {
+          "domain": "testmyids.com"
+        }
+      }
+    ]
+  }
+}
diff --git a/tests/datajson/datajson-09-jsonformat/hosts-nested.json b/tests/datajson/datajson-09-jsonformat/hosts-nested.json
new file mode 100644
index 000000000..7106dcab0
--- /dev/null
+++ b/tests/datajson/datajson-09-jsonformat/hosts-nested.json
@@ -0,0 +1 @@
+{ "info": {"threat": [ {"context":"gold old test", "year": 2005, "host": "www.testmyids.com"} ] } }
diff --git a/tests/datajson/datajson-09-jsonformat/hosts.json b/tests/datajson/datajson-09-jsonformat/hosts.json
new file mode 100644
index 000000000..c7761c184
--- /dev/null
+++ b/tests/datajson/datajson-09-jsonformat/hosts.json
@@ -0,0 +1 @@
+{"threat": [ {"context":"gold old test", "year": 2005, "host": "www.testmyids.com"} ] }
diff --git a/tests/datajson/datajson-09-jsonformat/input.pcap b/tests/datajson/datajson-09-jsonformat/input.pcap
new file mode 100644
index 000000000..8fb6832de
Binary files /dev/null and b/tests/datajson/datajson-09-jsonformat/input.pcap differ
diff --git a/tests/datajson/datajson-09-jsonformat/src.json b/tests/datajson/datajson-09-jsonformat/src.json
new file mode 100644
index 000000000..21b598ed3
--- /dev/null
+++ b/tests/datajson/datajson-09-jsonformat/src.json
@@ -0,0 +1,3 @@
+[
+    {"ip": "10.16.1.11", "test": "success","context":3}
+]
diff --git a/tests/datajson/datajson-09-jsonformat/test.rules b/tests/datajson/datajson-09-jsonformat/test.rules
new file mode 100644
index 000000000..4caa80a70
--- /dev/null
+++ b/tests/datajson/datajson-09-jsonformat/test.rules
@@ -0,0 +1,7 @@
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load hosts.json,key bad_host,json_key host, array_key threat; ip.src; datajson:isset,src_ip,type ip,load src.json,key src_ip,json_key ip; sid:1;)
+
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,dbadhost,type string,load hosts-direct.json,key dbad_host,json_key host; ip.src; datajson:isset,src_ip,type ip,load src.json,key src_ip,json_key ip; sid:2;)
+
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,nbadhost,type string,load hosts-nested.json,key nbad_host,json_key host, array_key info.threat; ip.src; datajson:isset,src_ip,type ip,load src.json,key src_ip,json_key ip; sid:3;)
+
+alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,nkbadhost,type string,load hosts-nested-key.json,key nkbad_host,json_key host.fqdn, array_key info.threat; ip.src; datajson:isset,src_ip,type ip,load src.json,key src_ip,json_key ip; sid:4;)
diff --git a/tests/datajson/datajson-09-jsonformat/test.yaml b/tests/datajson/datajson-09-jsonformat/test.yaml
new file mode 100644
index 000000000..669934fa2
--- /dev/null
+++ b/tests/datajson/datajson-09-jsonformat/test.yaml
@@ -0,0 +1,43 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none --set datasets.enabled=yes
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.src_ip.test: success
+        alert.extra.bad_host.year: 2005
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        alert.extra.src_ip.test: success
+        alert.extra.dbad_host.year: 2005
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+        alert.extra.src_ip.test: success
+        alert.extra.nbad_host.year: 2005
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+        alert.extra.src_ip.test: success
+        alert.extra.nkbad_host.year: 2005
+        alert.extra.nkbad_host.host.domain: testmyids.com
diff --git a/tests/detect-pcre/detect-pcre-06/test.rules b/tests/detect-pcre/detect-pcre-06/test.rules
new file mode 100644
index 000000000..608d6c2ed
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-06/test.rules
@@ -0,0 +1,5 @@
+alert http any any -> any any (http.user_agent; pcre:"/^(?P<alert_ua>[a-zA-Z]+)/"; priority:1; sid:1;)
+alert http any any -> any any (http.user_agent; pcre:"/^([a-zA-Z]+).*Ubuntu\/(\d+\.\d).*Firefox\/(.*)/ ,alert:user_agent, flow:ubuntu, pkt:firefox"; sid:2;)
+# Shouldn't match
+alert http any any -> any any (msg:"pcre flowvar http header, user-agent, no match"; content:"User-Agent: "; http_header; pcre:"/(?P<alert_ua>.*)\r\n/HR"; content:"xyz"; http_header; priority:1; sid:3;)
+alert http any any -> any any (msg:"pcre flowvar http header, server, no match"; content:"Server: "; http_header; pcre:"/(?P<alert_ua>.*)\r\n/HR"; content:"xyz"; http_header; priority:3; sid:4;)
diff --git a/tests/detect-pcre/detect-pcre-06/test.yaml b/tests/detect-pcre/detect-pcre-06/test.yaml
new file mode 100644
index 000000000..080d8d7c4
--- /dev/null
+++ b/tests/detect-pcre/detect-pcre-06/test.yaml
@@ -0,0 +1,41 @@
+pcap: ../detect-pcre-05/input.pcap
+
+requires:
+  min-version: 8
+
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      alert.extra.ua: Mozilla
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      alert.extra.user_agent: Mozilla
+      metadata.flowvars[0].ubuntu: "8.1"
+      metadata.pktvars[0].firefox: "3.0.13"
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 4