diff --git a/NEWS b/NEWS
index b20efb7a91..feebbd0928 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,14 @@ New Functionality
   ``--event-trace`` / ``-E`` command-line options. For details, see:
   https://docs.zeek.org/en/master/quickstart.html#tracing-events
 
+- Zeek now features limited TLS decryption capabilities. This feature is experimental
+  and only works for TLS 1.2 connections that use the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  ciphersuite. Furthermore Zeek requires access to the pre-master secret of each TLS
+  connection. Typically this functionality will be most useful when analyzing trace-files
+  where the TLS client recorded the key material. For more details and examples how to
+  use this functionality, see the TLS Decryption documentation at
+  https://docs.zeek.org/en/master/frameworks/tls-decryption.html
+
 - The new --with-gen-zam configure flag and its corresponding GEN_ZAM_EXE_PATH
   cmake variable allow reuse of a previously built Gen-ZAM code generator. This
   aids cross-compilation: the Zeek build process normally compiles Gen-ZAM on
@@ -161,14 +169,6 @@ New Functionality
 
 - The GRE analyzer now supports the Aruba WLAN protocol type.
 
-- Zeek now features limited TLS decryption capabilities. This feature is experimental
-  and only works for TLS 1.2 connections that use the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-  ciphersuite. Furthermore Zeek requires access to the pre-master secret of each TLS
-  connection. Typically this functionality will be most useful when analyzing trace-files
-  where the TLS client recorded the key material. For more details and examples how to
-  use this functionality, see the TLS Decryption documentation at
-  https://docs.zeek.org/en/master/frameworks/tls-decryption.html
-
 Changed Functionality
 ---------------------