diff --git a/NEWS b/NEWS
index 485bff0a78..e6c5326892 100644
--- a/NEWS
+++ b/NEWS
@@ -51,6 +51,11 @@ Breaking Changes
 - The ``IsPacketSource()`` method on ``IOSource`` was removed. It was unused
   and incorrectly returned ``false`` on all packet sources.
 
+- The parsing of data for the ``ssl_session_ticket_handshake`` event was fixed.
+  In the past, the data contained two extra bytes before the session ticket
+  data. The event now contains only the session ticket data. You might have to
+  adjust your scripts if you manually worked around this bug in the past.
+
 New Functionality
 -----------------
 
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index 2e2271779a..ca66878644 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -793,7 +793,8 @@ type Finished(rec: HandshakeRecord) = record {
 
 type SessionTicketHandshake(rec: HandshakeRecord) = record {
 	ticket_lifetime_hint: uint32;
-	data:                 bytestring &restofdata;
+	length: uint16;
+	data: bytestring &length=length;
 };
 
 ######################################################################
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.session-ticket/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.session-ticket/.stdout
new file mode 100644
index 0000000000..dfd725c9b1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.session-ticket/.stdout
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+CVE-2015-3194.pcap
+300, \x8a\xfd\xb2q\xd2\xa7\xf8^=\x84\xc8\x123\x88\xa72[\xca4\xa6\x95:-D\x98s\xfd\xb6\xc8\x17\xb2\x81\xfa\xf9u\x0dz\xd00$\x96<\xfe;3\x04\xcd\xc1\x16\xa7\xc7\xf8\x9cD\x9f\x82\xaf\xf2\xed\xeer[3\x17\x04\x1a\xa0v\xf9h:w*\x04\xa5\x8d\xe9E\x7f\xae,y&PT\x11\x18\xb3\xff+\x03\x87;\xe6\xe9\xd6J\xe3\x0d\x1b\xf3\x08>\x921\xbd\xca3\x88\x86'h\xfe\x8c~7\xa6\x828\x8b\xcf\x0f\xa7y[\x9d\xfazF\x02\xb0[\xc3\xac\xbb\xa2\xd3=\xf1\x8c\xf8k\xd7\x1f\x9e \xb6\x90h\x95\x0c\xb7)\x00zW\xc7\x93\xec\x10
+client-certificate.pcap
+300, M#\xa7J\x9e\x8a\x19p{\x83\xf2\xe4\xa5\xf6C\x0f\xddNh6\x19\x9f0\xc1\x83\x84\xab\xf6\xd2\xa5?o\xf7%\x8b\x01D\xe5\xf4\xcb\x17\x05\x1c`\xdc\xb1\xff\xd5\xf9\xfe\xe2\Vu=\xb8\xee\xb6\xb2\xd6w\xdb\x95DT\xfb\x86\xea\xf4\x0c\xf3\xe2\xb0\x07\x0e\x1d\xcf\x01\xa0\xc3/\x19D*\x15;\xf2\x9d\x13\xcb\xecZ4\xe1\x9a\x14\xf3\xcf\xb1\xe8\x0e\x16&7n\xb2&\xae\xcdcb\x04@\xca\xa9\x00\x8e\xa1\x18\xc2I&\xa6$\xcb8\xdc\xb6\x04\xb5\xef55\x91kv\x10\x19\xfcP\xef5'\xdf\x01\xd9IM\xc1\xd5\xf0\xc8\xd5\x94\x06\xe6jw\xb1\x93go\xc1*\xb3y|A\x9f\xed\xdf\xc6a1\x1c\xc3Q\xde\x83a'X\xcc@\xe9Q\x9c\xf9\xad\x873\x00\x8f\x07\xe0\x14\x12g\xed\xdeo\xdd\xfc\xc6\xdfc\xaf\x1a\xe5'\xd8\x918\xb4\x8a\x9b\xb9\xdcF\xed\x98\x08\xfe\xe49G\xc5M\xccg\xe7\x8a\xa4z\xc6\x82>\x9d\x1a<i-\xf9\xb8n\xf9\xed\xd5R\xf6g|@\x81\x03|"\xe8\x18,Z\xe3\x04\xff\xdb|\xe9&N\x8b9N\x8cnz\x15\x0a 4\xf25\x9cG\xb7Vkz\x8a\xae)\xe2\xe7\xb3\x1d#C\xb3\x89\x12\xbbo\xff?}\xbd\x86\x09\xcb@\xaf\x95\x1eu#\xe0@\x9e\xe1\x90Q\xe2\x01\xf0v\xe3\xc3@{\xa3'\xd8K\xe0\xcc\x9c\x1bp\x06\x97\x17-\xda\xf4\xd1\x0a\x97qa\xd4A\x1a~\xa2\xa3\x02\x90\x080\xa1A\xc3\x87\xf4w\x00s\xac\x967E!\xa9$)\xa4\xffQ\x07i\xea\xec\x8c\xe3*\xae\xa7\xc8\xa5\x8e\xb2\x06\xe6\x89\xfc4\x1c\x1f\x0c\xff\x7f\y\xe0\x14\x01\xa9\xd3G\xde?\xde6\xbbF\x89\x9bA5\xaa*o>\x0d0/\xa5\xf1\xefb\xde\xab_5\xdc\xf3\xea\xe0s\x0cm\xbc>\xb2Zb\xf1\x11\x8f\xc60\x7f\x82\xa9\xfbt6Xg\xcd\xd1\xa7\xdbHOX\xbaU\x0b4\xda\x91L\xff\x0a\x15.JZ\xbf\xe9\xf0\x17\x92U\x86\xe9Q\x1d\x9c\xbf\x16^"]A0\xa9um\xef\x8f\x14=\xfes\xcc\xad\x12\x87\xd2\x7f\\x18\x00\xef\xd0V\xbb\xf2\xf4\xdb\x7f\xabO\x00B\xf7\x0c\xd0q\x9b%8\x85C\x02e\x0epom\\xa0\xf3\xff\xac\x99o\x8f\x89\xab^\x1b\x95\xa2x\x0c\x1a\x84\x19\xc2]\xfb,[;.\xa4\xb5L\x05\xb2\x8a\xd7eF\x98\xcb\xa6\xe6D\xaf\xdb\x96D/\xc3i\xc3\xfdfY\xd7\xd5jO\xc9\xd17\x97\xa9\xd4\x9e\x91\xc0O\x0b?I\xdb\xba\xf8\xf20\xeb\xcdY\xf5\xf3\xa1H\xf1\x82\x90\x91\xcd\x91\x90\xaa\x05\xac\x12\x15\x10\x9a#\xd2\xfc\xdf\x92g\xe7\xbeK\x1b")\xcd\x96\x90t\x07\xf7\xf3H\xf6\x81\x0aMJs,\xa4\x94\xb4@R\xa8\xbb\xa6\xdd\'\xef\xde%%\xf0i\xf3B\x1e]\x01S&sK\x17Q&U\xf3\x04\xa1\x0f\x11\xf2\xcc\xd2w\xfdy]\xdb`GL\xf8,\x96w\xa7\xa9\x09\xafB\xe8vz\x80\x98\xe1\x83)Ce=\xbf\x04\x97\xb9\xf70:\xdc\xc0\xcd\xb6%\xd8\xd2-\xae\x86\xcb\x00A\x86\xdf1\x0cs0\xc3\x99\xfd\xa7[\xf4P.\x89g)o\x04\xc4\xbc\xc4\xe2\xce!"\xb7\xce<T\xc8\x06\xc6\x91'\xa5x\x85\xa0o_bp\xdf?\xe6Q\x0f\xde`\x1a\xac\x13\x8a\x8aAS\xc1\x0a\xee\xffN*\x01\x05\xb8\x9e|\xa2\xca\xe1F\xf6\xf5<\x06\xa42\x8f[9=8\xd0\xf1\x1b\x03cM\x92R\x0a\xb3\x07\xd4\x8b\xc5\xa1\xcb\xbc~\x85\xf7\xb8\xef\xa0{:3\xeaa?\xe8\xa51\xbd\x8e\xa5\x84\xe7\x8a*\xd4S\x80k\x11\x86)\xc5R\xc8\xc2U\x9b{\xc6\xf6\xa6z\xc2\x8e\xb1\xff\xa83\x0e\xbc\xeb\x10\x0a\xd6\x13/\xc3l=\x11\x88l\xc2\xc0\xd4~\xf2\xe7\xb1\xe5l!\xad(\xbcr\xc7H\x18\x1b\x07\x9d_g\xc9\x08\xd4m\xc2\xccCD>\x13\x9b\xbc\x0b\x05\xbb\xad\xc0,\xb1(bz\xb2\xe8\x00X\xfa2\x9e~\x1dk3?}\x8c\xb1N\x9aG\x85\xd0T7\x08q\x85l\xe8\xd78\xefP\x9fG\xac\x17\xf0\x7f\x7f"\xa6\x8aa\x83\xb2;\x99q?\x91\xa03`w\x80\xfb\xe46\x18\xb5\xfa:ty\xbe\x0d\xf6K\x9c\x88f\xc0\xc2\xd4\x88Z\xb4\x0c\xf0{\xd9-\xa6~\xed\xcc\xbe\xdd(\x9e\xb5*\xcb\xbfn7\xad8\x18\xc7\xad\xd3\xb6\x7flJ\xb0\xaa\xe4\xac\x9a\xf4\xe6\x8eRo\x16\xd5\xb0d&\x01%\xe6q\xb7\xaeC0\xe5{\xbe\xf1b\xf5\xfe\x99\xa2c\x91\xc7\x07\x1dW\xf4\xe9lRD\xe9\x88\xdb\x9fy\xfd\xcd;y|{\xddJp\xe5\xaa\xab\x0e\xb9\x1e\xc7A\xbb\x85r\xa7X\x1c\x09\x0f\xa1\xba\x01\xeddt\xb8\xba\x95\xc5\xfcc`IMe\xd4\x9a\xbcqv\x07\x01\x86\xc4\x0d\xed\xee\xa2\xf4A\xbcQPc\xb3\xa5E\xbf\xdc\xd97\xdd\x99I5\xf9\xa6O\xc45\xf84\xd04"\xf1\x8d/\x13t(J&\xa7MS\xe5\x9d6 b\xf9\xbcr\xad\xf3i\xed\xcf\xc45\x1b\xac\x03\x8fv!\x1b\x8a\x9e\x86F\x9e\xba7\xff\xee\x90\x0e\x92\x84\xb0\x85\x80\xf0\x19\xb1\x0a+qp\x96Q\xde'\xdb\x01\x14\xb2\xefO\xb0\x09\x9c}Brq\xc9_y\xd0@[\x8dzd#\xeb\xad\xacztl\xf3\xc2p!\x0c\x9b\xb9\xf7\x9b\xc3G\xb1\x0b\xe6N(\xfe|4\xb1\x08\xc8\x9fw\x86\x97Rt+\xbe\xfaK\x93\xe8\xad\x10+\xb8(M\x8d1\xeb\x0fZi~\x12\xaa\xaa\xabZ\xfd\x9b\x13{U\x0a\x8a\x062a\x0eoAZa\x91\xd9p\xf2<\x1fn\x8b\xf8\xbbw\x18wH\xc2\xe0\xd5\xd6\xc9/:\xe5\x01:\xfa\xfd\xdf\xed\xad\xf6\x152\xccO\x84.\x8e\x88\xe9\x80\x11\x10 \xb4\xa9>\x02\xa7\xfc\xd1\x84\xecD\xf2.\x05\xe4\xfe\xe2\x0d{\xbfh\x900\xa6l\xfa2\xd9s\x89%\xc11\xbc|&E\xad\x07C\xbad\x93A"=4\xa0\x87\x89\xc7;\xaf\x01\xbcU\xc6\xffE\xb9\xcfK\x1b\xa0\xf9\xf3\x95\x84\xbe\x1b\xa2\xef\xab\xe3\x84:\xd8P\x09\xc3\xef\xe3\xee\xa28\xde\xda\xc9\x13\xfeck\xceX\x18\xff\xc9\x0f\xefC\xff\xaal;\xd1\x18\xe3\x12\xf0vg\xca\x0d\xa6\x8b`)\xa0LkTry\xbee\xe1\x1c\xbc\xdc!\xab\x1d-C\xee\x90\xedg\x17\xde\xf8?\x8a\xeb\x00\x94_\xdb\xd1\x0d\xfd\x07x\xb4\xa7\xc6\x08h\xfe_\xbe\xf4\xf6\x9b\x97\x15\xa8\x89Ex\xfc\x9e\xf1\xf9\xfbl3\xb4\xb8\x1fb\xabKS\x18b\x9d\xc1\xfa\xb4?\xea\x88\x8c\xfcM%\xe52\xf3\xe8\xc29\xfeY\xfb<\x7f\xdc"4\x0f$\xe8z\xa2\xeb\xd6\xb4\xfa\xbaMq}C\xa31\x7fP\xc1l\xc1\x81\xde\xbar\x0e\x81c\xaa\x1f\xe1\xca\x96\x9e\xb8<'\x04\xca/\xda\x98\xe2w\xa1%\xcd\xc5\xb0\xca\x88\xa0\xab\xe9n\x98K\xeap\xba\x86\xafF\xf3G\xe4\x97\x05\xcep\x12\x10MB@G\x96z\xbc\x1d5Z\xc6~\x075d\xcb\xbaD\x0c\x80\xdb\xfb\xf2\xbb\x97\xa8\x14Y6~c\x98\xecA\x1fi}\xff\xe7\x9d\x93\xd2\xcb\xad#\x91\x15(\x18=\x05\xb4\xe5\x8e\x98/\xe6\xfc\x18E\xaeO\xf2?yc\xe8\xf1\x9c\x05\xceo\xd3\xd3S\x02a
diff --git a/testing/btest/scripts/base/protocols/ssl/session-ticket.test b/testing/btest/scripts/base/protocols/ssl/session-ticket.test
new file mode 100644
index 0000000000..da788982d5
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/session-ticket.test
@@ -0,0 +1,13 @@
+# @TEST-DOC: Tests the ssl_session_ticket_handshake event
+# @TEST-EXEC: echo "CVE-2015-3194.pcap"
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/CVE-2015-3194.pcap %INPUT
+# @TEST-EXEC: echo "client-certificate.pcap"
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/client-certificate.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ssl
+
+event ssl_session_ticket_handshake(c: connection, ticket_lifetime_hint: count, ticket: string)
+	{
+	print ticket_lifetime_hint, ticket;
+	}