diff --git a/CHANGES b/CHANGES
index d766eb7492..870d87eb76 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,18 @@
+5.1.0-dev.273 | 2022-07-19 12:57:11 +0100
+
+  * Remove use of fallible `get_conn_transport_proto` in `analyzer_violation`. (Benjamin Bannier, Corelight)
+
+    When setting up the DPD info we previously would get the
+    `transport_proto` for the connection with `get_conn_transport_proto`.
+    This function takes a `conn_id` and would fail fatally if the connection
+    for the given ID was unknown. It seems it was possible to run into such
+    scenarios when the `analyzer_violation` event was processed after the
+    connection had been cleaned up.
+
+    We now get the `transport_proto` directly from the ports in the
+    `connection` passed into `analyzer_violation` via
+    `get_port_transport_proto` which cannot fail.
+
 5.1.0-dev.271 | 2022-07-19 12:01:41 +0200
 
   * GH-2276: Raise smb2_file_delete for CREATE with
diff --git a/VERSION b/VERSION
index bab36f8e6f..c4b82b416f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-5.1.0-dev.271
+5.1.0-dev.273
diff --git a/scripts/base/frameworks/dpd/main.zeek b/scripts/base/frameworks/dpd/main.zeek
index b00a600dc1..7e8283b2c7 100644
--- a/scripts/base/frameworks/dpd/main.zeek
+++ b/scripts/base/frameworks/dpd/main.zeek
@@ -79,7 +79,7 @@ event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count,
 	info$ts=network_time();
 	info$uid=c$uid;
 	info$id=c$id;
-	info$proto=get_conn_transport_proto(c$id);
+	info$proto=get_port_transport_proto(c$id$orig_p);
 	info$analyzer=analyzer;
 	info$failure_reason=reason;
 	c$dpd = info;