diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 5a5f47c6..55b4be28 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -110,7 +110,7 @@
 
 # This detects writes immediately below / or any write anywhere below /root
 - macro: root_dir
-  condition: ((fd.directory=/ or fd.name startswith /root/) and fd.name contains "/")
+  condition: (fd.directory=/ or fd.name startswith /root/)
 
 - list: shell_binaries
   items: [ash, bash, csh, ksh, sh, tcsh, zsh, dash]