diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro
index d5a3ddee67..8dd07fcb53 100644
--- a/scripts/base/frameworks/files/main.bro
+++ b/scripts/base/frameworks/files/main.bro
@@ -293,7 +293,7 @@ event file_new(f: fa_file) &priority=10
 	set_info(f);
 	}
 
-event file_over_new_connection(f: fa_file, c: connection) &priority=10
+event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=10
 	{
 	set_info(f);
 	add f$info$conn_uids[c$uid];
diff --git a/scripts/base/protocols/ftp/files.bro b/scripts/base/protocols/ftp/files.bro
index a943adff9d..c68717c8a2 100644
--- a/scripts/base/protocols/ftp/files.bro
+++ b/scripts/base/protocols/ftp/files.bro
@@ -28,7 +28,7 @@ event bro_init() &priority=5
 	}
 
 
-event file_over_new_connection(f: fa_file, c: connection) &priority=5
+event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
 	if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected ) 
 		return;
@@ -37,4 +37,4 @@ event file_over_new_connection(f: fa_file, c: connection) &priority=5
 	ftp$fuid = f$id;
 	if ( f?$mime_type )
 		ftp$mime_type = f$mime_type;
-	}
\ No newline at end of file
+	}
diff --git a/scripts/base/protocols/http/entities.bro b/scripts/base/protocols/http/entities.bro
index cc852a7e11..fc8ab753ae 100644
--- a/scripts/base/protocols/http/entities.bro
+++ b/scripts/base/protocols/http/entities.bro
@@ -53,7 +53,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 		}
 	}
 
-event file_over_new_connection(f: fa_file, c: connection) &priority=5
+event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
 	if ( f$source == "HTTP" && c$http?$entity ) 
 		{
diff --git a/scripts/base/protocols/http/files.bro b/scripts/base/protocols/http/files.bro
index 44fdc4c1f4..e45ff8cadb 100644
--- a/scripts/base/protocols/http/files.bro
+++ b/scripts/base/protocols/http/files.bro
@@ -40,7 +40,7 @@ event bro_init() &priority=5
 	Files::register_protocol(Analyzer::ANALYZER_HTTP, HTTP::get_file_handle);
 	}
 
-event file_over_new_connection(f: fa_file, c: connection) &priority=5
+event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
 	if ( c?$http )
 		{
@@ -49,4 +49,4 @@ event file_over_new_connection(f: fa_file, c: connection) &priority=5
 		else
 			c$http$resp_fuids[|c$http$resp_fuids|] = f$id;
 		}
-	}
\ No newline at end of file
+	}
diff --git a/scripts/base/protocols/irc/files.bro b/scripts/base/protocols/irc/files.bro
index f4553b534a..8708270bfd 100644
--- a/scripts/base/protocols/irc/files.bro
+++ b/scripts/base/protocols/irc/files.bro
@@ -27,7 +27,7 @@ event bro_init() &priority=5
 	Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, IRC::get_file_handle);
 	}
 
-event file_over_new_connection(f: fa_file, c: connection) &priority=5
+event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
 	if ( [c$id$resp_h, c$id$resp_p] !in dcc_expected_transfers ) 
 		return;
@@ -38,4 +38,4 @@ event file_over_new_connection(f: fa_file, c: connection) &priority=5
 		f$info$filename = irc$dcc_file_name;
 	if ( f?$mime_type )
 		irc$dcc_mime_type = f$mime_type;
-	}
\ No newline at end of file
+	}
diff --git a/scripts/base/protocols/smtp/entities.bro b/scripts/base/protocols/smtp/entities.bro
index 067b8acf8e..ec43b39ce1 100644
--- a/scripts/base/protocols/smtp/entities.bro
+++ b/scripts/base/protocols/smtp/entities.bro
@@ -31,7 +31,7 @@ event mime_begin_entity(c: connection) &priority=10
 	++c$smtp_state$mime_depth;
 	}
 
-event file_over_new_connection(f: fa_file, c: connection) &priority=5
+event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
 	if ( f$source != "SMTP" ) 
 		return;
diff --git a/scripts/base/protocols/smtp/files.bro b/scripts/base/protocols/smtp/files.bro
index e67181d6bc..1cf9ec01e1 100644
--- a/scripts/base/protocols/smtp/files.bro
+++ b/scripts/base/protocols/smtp/files.bro
@@ -27,8 +27,8 @@ event bro_init() &priority=5
 	Files::register_protocol(Analyzer::ANALYZER_SMTP, SMTP::get_file_handle);
 	}
 
-event file_over_new_connection(f: fa_file, c: connection) &priority=5
+event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
 	if ( c?$smtp )
 		c$smtp$fuids[|c$smtp$fuids|] = f$id;
-	}
\ No newline at end of file
+	}
diff --git a/src/event.bif b/src/event.bif
index df22902094..e4d6f8c844 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -911,8 +911,10 @@ event file_new%(f: fa_file%);
 ##
 ## c: The new connection over which the file is seen being transferred.
 ##
+## is_orig: true if the originator of *c* is the one sending the file.
+##
 ## .. bro:see:: file_new file_timeout file_gap file_state_remove
-event file_over_new_connection%(f: fa_file, c: connection%);
+event file_over_new_connection%(f: fa_file, c: connection, is_orig: bool%);
 
 ## Indicates that file analysis has timed out because no activity was seen
 ## for the file in a while.
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index ed3d2ae9a8..9a06fa3db9 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -90,7 +90,7 @@ File::File(const string& file_id, Connection* conn, analyzer::Tag tag,
 		// add source, connection, is_orig fields
 		SetSource(analyzer_mgr->GetAnalyzerName(tag));
 		val->Assign(is_orig_idx, new Val(is_orig, TYPE_BOOL));
-		UpdateConnectionFields(conn);
+		UpdateConnectionFields(conn, is_orig);
 		}
 
 	UpdateLastActivityTime();
@@ -113,7 +113,7 @@ double File::GetLastActivityTime() const
 	return val->Lookup(last_active_idx)->AsTime();
 	}
 
-void File::UpdateConnectionFields(Connection* conn)
+void File::UpdateConnectionFields(Connection* conn, bool is_orig)
 	{
 	if ( ! conn )
 		return;
@@ -137,6 +137,7 @@ void File::UpdateConnectionFields(Connection* conn)
 			val_list* vl = new val_list();
 			vl->append(val->Ref());
 			vl->append(conn_val->Ref());
+			vl->append(new Val(is_orig, TYPE_BOOL));
 
 			if ( did_file_new_event )
 				FileEvent(file_over_new_connection, vl);
diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h
index 5d967e7356..794734d24b 100644
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@@ -173,8 +173,9 @@ protected:
 	 * Updates the "conn_ids" and "conn_uids" fields in #val record with the
 	 * \c conn_id and UID taken from \a conn.
 	 * @param conn the connection over which a part of the file has been seen.
+	 * @param is_orig true if the connection originator is sending the file.
 	 */
-	void UpdateConnectionFields(Connection* conn);
+	void UpdateConnectionFields(Connection* conn, bool is_orig);
 
 	/**
 	 * Increment a byte count field of #val record by \a size.
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 453c6f7902..4e25bb0b0e 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -250,7 +250,7 @@ File* Manager::GetFile(const string& file_id, Connection* conn,
 		rval->UpdateLastActivityTime();
 
 		if ( update_conn )
-			rval->UpdateConnectionFields(conn);
+			rval->UpdateConnectionFields(conn, is_orig);
 		}
 
 	return rval;
diff --git a/testing/scripts/file-analysis-test.bro b/testing/scripts/file-analysis-test.bro
index 9df640c893..cf2bbf2d59 100644
--- a/testing/scripts/file-analysis-test.bro
+++ b/testing/scripts/file-analysis-test.bro
@@ -66,7 +66,7 @@ event file_new(f: fa_file)
 		}
 	}
 
-event file_over_new_connection(f: fa_file, c: connection)
+event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
 	{
 	print "FILE_OVER_NEW_CONNECTION";
 	}