Which of the following snort rules look for FTP root login attempts?

A.
alert tcp -> any port 21 (msg:"user root";)

B.
alert tcp -> any port 21 (message:"user root";)

C.
alert ftp -> ftp (content:"user password root";)

D.
alert tcp any any -> any any 21 (content:"user root";)

Explanation:
The snort rule header is built by defining action (alert), protocol (tcp), from IP subnet port (any any), to IP subnet port (any any 21), Payload Detection Rule Options (content:"user root";)