diff --git a/src/analyzer/protocol/mysql/events.bif b/src/analyzer/protocol/mysql/events.bif
index 8f5596e655..a102842e05 100644
--- a/src/analyzer/protocol/mysql/events.bif
+++ b/src/analyzer/protocol/mysql/events.bif
@@ -84,9 +84,20 @@ event mysql_server_version%(c: connection, ver: string%);
 ##
 ## username: The username supplied by the client
 ##
-## .. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_server_version
+## .. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_server_version mysql_ssl_request
 event mysql_handshake%(c: connection, username: string%);
 
+## Generated for a short client handshake response packet with the CLIENT_SSL
+## flag set. Usually the client will initiate a TLS handshake afterwards.
+#
+## See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+## for more information about the MySQL protocol.
+##
+## c: The connection.
+##
+## .. zeek:see:: mysql_handshake
+event mysql_ssl_request%(c: connection%);
+
 ## Generated for information about plugin authentication within handshake packets.
 ##
 ## c: The connection.
diff --git a/src/analyzer/protocol/mysql/mysql-analyzer.pac b/src/analyzer/protocol/mysql/mysql-analyzer.pac
index 48cd0b6bd5..28ce1e7d9e 100644
--- a/src/analyzer/protocol/mysql/mysql-analyzer.pac
+++ b/src/analyzer/protocol/mysql/mysql-analyzer.pac
@@ -47,6 +47,10 @@ refine flow MySQL_Flow += {
 		if ( ${msg.version} == 10 && ( ${msg.v10_response.cap_flags} & CLIENT_SSL ))
 			{
 			connection()->zeek_analyzer()->StartTLS();
+
+			if ( mysql_ssl_request )
+				zeek::BifEvent::enqueue_mysql_ssl_request(connection()->zeek_analyzer(),
+				                                          connection()->zeek_analyzer()->Conn());
 			return true;
 			}
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.out b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.out
new file mode 100644
index 0000000000..dd294ea217
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.out
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+mysql ssl request, CHhAvVGS1DHFjwGM9
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.out b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.out
new file mode 100644
index 0000000000..dd294ea217
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.out
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+mysql ssl request, CHhAvVGS1DHFjwGM9
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/out b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/out
new file mode 100644
index 0000000000..dd294ea217
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/out
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+mysql ssl request, CHhAvVGS1DHFjwGM9
diff --git a/testing/btest/scripts/base/protocols/mysql/encrypted-aws-rds.test b/testing/btest/scripts/base/protocols/mysql/encrypted-aws-rds.test
index d653608aa4..7f336edf80 100644
--- a/testing/btest/scripts/base/protocols/mysql/encrypted-aws-rds.test
+++ b/testing/btest/scripts/base/protocols/mysql/encrypted-aws-rds.test
@@ -1,15 +1,17 @@
 # Just two traces with MySQL running in Amazon RDS tls1.3 and tls1.2
 
-# @TEST-EXEC: zeek -b -r $TRACES/mysql/tls-12-amazon-rds.trace %INPUT
-# @TEST-EXEC: mkdir tls-12 && mv *log tls-12
+# @TEST-EXEC: zeek -b -r $TRACES/mysql/tls-12-amazon-rds.trace %INPUT >out
+# @TEST-EXEC: mkdir tls-12 && mv *log out tls-12
 #
-# @TEST-EXEC: zeek -b -r $TRACES/mysql/tls-13-amazon-rds.trace %INPUT
-# @TEST-EXEC: mkdir tls-13 && mv *log tls-13
+# @TEST-EXEC: zeek -b -r $TRACES/mysql/tls-13-amazon-rds.trace %INPUT >out
+# @TEST-EXEC: mkdir tls-13 && mv *log out tls-13
 #
+# @TEST-EXEC: btest-diff tls-12/out
 # @TEST-EXEC: btest-diff tls-12/conn.log
 # @TEST-EXEC: btest-diff tls-12/ssl.log
 # @TEST-EXEC: btest-diff tls-12/x509.log
 #
+# @TEST-EXEC: btest-diff tls-13/out
 # @TEST-EXEC: btest-diff tls-13/conn.log
 # @TEST-EXEC: btest-diff tls-13/ssl.log
 # @TEST-EXEC: ! test -f tls-13/x509.log
@@ -17,3 +19,8 @@
 @load base/protocols/conn
 @load base/protocols/mysql
 @load base/protocols/ssl
+
+event mysql_ssl_request(c: connection)
+	{
+	print "mysql ssl request", c$uid;
+	}
diff --git a/testing/btest/scripts/base/protocols/mysql/encrypted.test b/testing/btest/scripts/base/protocols/mysql/encrypted.test
index 1f43ec7da6..808bed3cfb 100644
--- a/testing/btest/scripts/base/protocols/mysql/encrypted.test
+++ b/testing/btest/scripts/base/protocols/mysql/encrypted.test
@@ -3,8 +3,9 @@
 # empty mysql.log file.
 
 # @TEST-EXEC: touch mysql.log
-# @TEST-EXEC: zeek -b -r $TRACES/mysql/encrypted.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/mysql/encrypted.trace %INPUT >out
 # @TEST-EXEC: btest-diff mysql.log
+# @TEST-EXEC: btest-diff out
 #
 # Ensure the connection was handed off by peaking into some other logs.
 # @TEST-EXEC: btest-diff conn.log
@@ -14,3 +15,8 @@
 @load base/protocols/conn
 @load base/protocols/mysql
 @load base/protocols/ssl
+
+event mysql_ssl_request(c: connection)
+	{
+	print "mysql ssl request", c$uid;
+	}