diff --git a/mod_security.spec b/mod_security.spec
index 4f70ff32a8102844ebe25d8c687ea32bd97f42eb..d2e8c57274be904f1786fa9ea28a4e1def8ac216 100644
--- a/mod_security.spec
+++ b/mod_security.spec
@@ -7,7 +7,7 @@
 
 Name: mod_security
 Version: 2.9.5
-Release: 4
+Release: 5
 Summary: Security module for the Apache HTTP Server
 License: ASL 2.0
 URL: http://www.modsecurity.org/
@@ -18,6 +18,7 @@ Source3: modsecurity_localrules.conf
 Patch0000: modsecurity-2.9.5-lua-54.patch
 Patch0001: modsecurity-2.9.5-use-uid-if-user-name-is-not-available.patch
 Patch0002: modsecurity-2.9.5-Properly-cleanup-XML-parser-contexts-upon-completion.patch
+Patch0003: modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch
 
 Requires: httpd httpd-mmn = %{_httpd_mmn}
 BuildRequires: gcc make perl-generators httpd-devel yajl yajl-devel
@@ -100,6 +101,9 @@ install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
 %endif
 
 %changelog
+* Sat Jan 7 2023 yaoguangzhong <yaoguangzhong@xfusion.com> - 2.9.5-5
+- backport Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
+
 * Fri Jan 6 2023 yaoguangzhong <yaoguangzhong@xfusion.com> - 2.9.5-4
 - backport properly cleanup XML parser contexts upon completion
 
diff --git a/modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch b/modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3918deade2dbef08ded858068a3dfb13f690bd92
--- /dev/null
+++ b/modsecurity-2.9.5-Add-SecRequestBodyJsonDepthLimit-to-modsecurity.conf.patch
@@ -0,0 +1,30 @@
+From d12959e18fccaf12708897baced782b9a63622fa Mon Sep 17 00:00:00 2001
+From: yaoguangzhong <yaoguangzhong@xfusion.com>
+Date: Sat, 7 Jan 2023 11:05:51 +0800
+Subject: [PATCH] Add SecRequestBodyJsonDepthLimit to
+ modsecurity.conf-recommended
+
+From Author: Martin Vierula <martin.vierula@trustwave.com>
+---
+ modsecurity.conf-recommended | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended
+index f357d95..c84ddce 100644
+--- a/modsecurity.conf-recommended
++++ b/modsecurity.conf-recommended
+@@ -58,6 +58,11 @@ SecRequestBodyInMemoryLimit 131072
+ #
+ SecRequestBodyLimitAction Reject
+ 
++# Maximum parsing depth allowed for JSON objects. You want to keep this
++# value as low as practical.
++#
++SecRequestBodyJsonDepthLimit 512
++
+ # Verify that we've correctly processed the request body.
+ # As a rule of thumb, when failing to process a request body
+ # you should reject the request (when deployed in blocking mode)
+-- 
+2.27.0
+