diff --git a/packages/cisco_ftd/_dev/deploy/docker/docker-compose.yml b/packages/cisco_ftd/_dev/deploy/docker/docker-compose.yml
index c8781a5dfce..3f2ccbaf584 100644
--- a/packages/cisco_ftd/_dev/deploy/docker/docker-compose.yml
+++ b/packages/cisco_ftd/_dev/deploy/docker/docker-compose.yml
@@ -6,8 +6,13 @@ services:
       - ./sample_logs:/sample_logs:ro
       - ${SERVICE_LOGS_DIR}:/var/log
     command: /bin/sh -c "cp /sample_logs/* /var/log/"
+  cisco-ftd-tcp:
+    image: docker.elastic.co/observability/stream:v0.6.2
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=tcp /sample_logs/cisco-ftd.log
   cisco-ftd-udp:
-    image: docker.elastic.co/observability/stream:v0.5.0
+    image: docker.elastic.co/observability/stream:v0.6.2
     volumes:
       - ./sample_logs:/sample_logs:ro
     command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=udp /sample_logs/cisco-ftd.log
diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml
index 0bd31f366a1..9037ee378e7 100644
--- a/packages/cisco_ftd/changelog.yml
+++ b/packages/cisco_ftd/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.2.0"
+  changes:
+    - description: Add TCP input with TLS support
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3313
 - version: "2.1.1"
   changes:
     - description: Added link to Cisco's FTD documentation in readme
diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/cisco_ftd/data_stream/log/_dev/test/system/test-tcp-config.yml
new file mode 100644
index 00000000000..8904dbf1d3d
--- /dev/null
+++ b/packages/cisco_ftd/data_stream/log/_dev/test/system/test-tcp-config.yml
@@ -0,0 +1,8 @@
+service: cisco-ftd-tcp
+service_notify_signal: SIGHUP
+input: tcp
+data_stream:
+  vars:
+    tcp_host: 0.0.0.0
+    tcp_port: 9514
+    preserve_original_event: true
diff --git a/packages/cisco_ftd/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_ftd/data_stream/log/agent/stream/tcp.yml.hbs
new file mode 100644
index 00000000000..8f3ae722938
--- /dev/null
+++ b/packages/cisco_ftd/data_stream/log/agent/stream/tcp.yml.hbs
@@ -0,0 +1,22 @@
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
+{{#if tcp_options}}
+{{tcp_options}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/cisco_ftd/data_stream/log/manifest.yml b/packages/cisco_ftd/data_stream/log/manifest.yml
index 4c7fab8f5d4..4491bc8ae30 100644
--- a/packages/cisco_ftd/data_stream/log/manifest.yml
+++ b/packages/cisco_ftd/data_stream/log/manifest.yml
@@ -46,6 +46,91 @@ streams:
         description: >
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
 
+  - input: tcp
+    title: Cisco FTD logs
+    description: Collect Cisco FTD logs
+    template_path: tcp.yml.hbs
+    vars:
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - cisco-ftd
+          - forwarded
+      - name: tcp_host
+        type: text
+        title: TCP host to listen on
+        multi: false
+        required: true
+        show_user: true
+        default: localhost
+      - name: tcp_port
+        type: integer
+        title: TCP Port to listen on
+        multi: false
+        required: true
+        show_user: true
+        default: 9003
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+      - name: ssl
+        type: yaml
+        title: SSL Configuration
+        description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+        multi: false
+        required: false
+        show_user: false
+        default: |
+          #certificate_authorities:
+          #  - |
+          #    -----BEGIN CERTIFICATE-----
+          #    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+          #    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+          #    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+          #    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+          #    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+          #    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+          #    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+          #    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+          #    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+          #    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+          #    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+          #    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+          #    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+          #    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+          #    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+          #    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+          #    sxSmbIUfc2SGJGCJD4I=
+          #    -----END CERTIFICATE-----
+      - name: tcp_options
+        type: yaml
+        title: Custom TCP Options
+        multi: false
+        required: false
+        show_user: false
+        default: |
+          #max_connections: 1
+          #framing: delimitier
+          #line_delimiter: "\n"
+        description: Specify custom configuration options for the TCP input.
   - input: logfile
     enabled: false
     title: Cisco FTD logs
diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml
index 28c3d47f682..8a6ec25e36a 100644
--- a/packages/cisco_ftd/manifest.yml
+++ b/packages/cisco_ftd/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: cisco_ftd
 title: Cisco FTD
-version: 2.1.1
+version: 2.2.0
 license: basic
 description: Collect logs from Cisco FTD with Elastic Agent.
 type: integration
@@ -21,6 +21,9 @@ policy_templates:
     title: Cisco FTD logs
     description: Collect logs from Cisco FTD instances
     inputs:
+      - type: tcp
+        title: Collect logs from Cisco FTD via TCP
+        description: Collecting logs from Cisco FTD via TCP
       - type: udp
         title: Collect logs from Cisco FTD via UDP
         description: Collecting logs from Cisco FTD via UDP