diff --git a/ChangeLog b/ChangeLog
index 1b60a00eb8..c25bed4c3b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,10 +10,6 @@ Security
      an error or a meaningless output from mbedtls_ecdh_get_params. In the
      latter case, this could expose at most 5 bits of the private key.
 
-API Changes
-   * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`.
-     See the Features section for more information.
-
 Features
    * Add support for draft-05 of the Connection ID extension, as specified
      in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
@@ -33,6 +29,10 @@ Features
      at the cost of additional lifetime constraints on the input
      buffer, but at the benefit of reduced RAM consumption.
 
+API Changes
+   * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`.
+     See the Features section for more information.
+
 Bugfix
    * Server's RSA certificate in certs.c was SHA-1 signed. In the default
      mbedTLS configuration only SHA-2 signed certificates are accepted.