How encode a relative short jmp in x86

The rel8 is relative to the next instruction's memory address, as can easily be confirmed by creating two executables and disassembling them:

@label:
    jmp @label
    nop

This disassembles as (with ndisasm, it's the same in 16-bit, 32-bit and 64-bit code):

EBFE jmp short 0x0
90   nop

Then, another executable:

    jmp @label
@label:
    nop

EB00 jmp short 0x2
90   nop

So, the rel8 is encoded always relative to the next instruction after jmp. Disassemblers (at leastndisasm and udcli), however, show it relative to the jmp instruction itself. That may possibly cause some confusion.

Whether it's short jump or not, it's always destination - (source + sizeof(instruction)).

i.e. dst - end_of_jmp

In your case (short jump), sizeof(instruction) is 2.

The reason behind this addition is because of the fact that once the cpu has performed the instruction fetch stage, the instruction pointer is already pointing to the instruction that comes after the branch. The rel8 or rel32 branch displacement is relative to that EIP/RIP value.