diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index e5638912cd..aaecc7c5ee 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -34,7 +34,7 @@ repos:
       exclude: '^(.typos.toml|src/SmithWaterman.cc|testing/.*|auxil/.*|scripts/base/frameworks/files/magic/.*|CHANGES)$'
 
 - repo: https://github.com/bbannier/spicy-format
-  rev: v0.15.0
+  rev: v0.16.2
   hooks:
     - id: spicy-format
       # TODO: Reformat existing large analyzers just before 8.0.
diff --git a/CHANGES b/CHANGES
index c3ba7a5a8d..36478fed3d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+7.1.0-dev.309 | 2024-09-12 08:51:08 +0200
+
+  * Bump spicy-format to 0.16.2 (Johanna Amann, Corelight)
+
+  * Spicy SSL: reformat with new version of spicy format (Johanna Amann, Corelight)
+
 7.1.0-dev.305 | 2024-09-11 16:55:55 +0200
 
   * Spicy SSL analyzer:
diff --git a/VERSION b/VERSION
index 15a1f8311f..a447525a23 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-7.1.0-dev.305
+7.1.0-dev.309
diff --git a/src/analyzer/protocol/ssl/spicy/SSL.spicy b/src/analyzer/protocol/ssl/spicy/SSL.spicy
index 76b1be2a0f..e03910dde2 100644
--- a/src/analyzer/protocol/ssl/spicy/SSL.spicy
+++ b/src/analyzer/protocol/ssl/spicy/SSL.spicy
@@ -701,7 +701,7 @@ type SSL2Record = unit(lengthone: uint8, inout msg: Message, inout sh: Share) {
     var length: uint16;
 
     on lengthtwo {
-        self.length = (cast<uint16>(lengthone) & 0x7F)<<8 | self.lengthtwo;
+        self.length = (cast<uint16>(lengthone) & 0x7F) << 8 | self.lengthtwo;
     }
     message_type: uint8;
 
@@ -712,7 +712,7 @@ type SSL2Record = unit(lengthone: uint8, inout msg: Message, inout sh: Share) {
         SSL2ProtocolMessages::ssl_server_verify -> : skip bytes &size=self.length;
         SSL2ProtocolMessages::ssl_request_certificate -> : skip bytes &size=self.length;
         SSL2ProtocolMessages::ssl_client_certificate -> : skip bytes &size=self.length;
-    } if(get_encrypted(sh) == False) ;
+    } if(get_encrypted(sh) == False);
     : skip bytes &size=self.length if(get_encrypted(sh) == True);
 
     on %done {
@@ -842,7 +842,7 @@ function determine_encryption_on(pr: PlaintextRecord, content_type: uint8, hands
         return False;
 
     if (content_type != 23) # application_data
-    return False;
+        return False;
 
     ## in theory, we should check for TLS13 or draft-TLS13 instead of doing the reverse.
     ## But - people use weird version numbers. And all of those weird version numbers are