diff --git a/CHANGES b/CHANGES
index 9a97e9798c..265f047640 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5.2.0-dev.320 | 2022-11-16 14:50:58 -0700
+
+  * ssh: Test for c$ssh$analyzer_id existence (Arne Welzel, Corelight)
+
 5.2.0-dev.317 | 2022-11-15 11:34:47 -0700
 
   * init-bare: Fix zeek:see after bif renaming (Arne Welzel, Corelight)
diff --git a/VERSION b/VERSION
index d09f206537..ae85632a6c 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-5.2.0-dev.317
+5.2.0-dev.320
diff --git a/scripts/base/protocols/ssh/main.zeek b/scripts/base/protocols/ssh/main.zeek
index 91a6e676a9..cb63c409ae 100644
--- a/scripts/base/protocols/ssh/main.zeek
+++ b/scripts/base/protocols/ssh/main.zeek
@@ -249,7 +249,7 @@ event ssh_auth_attempted(c: connection, authenticated: bool) &priority=5
 	c$ssh$auth_success = authenticated;
 	c$ssh$auth_attempts += 1;
 
-	if ( authenticated && disable_analyzer_after_detection )
+	if ( authenticated && disable_analyzer_after_detection && c$ssh?$analyzer_id )
 		disable_analyzer(c$id, c$ssh$analyzer_id);
 	}