Also in the URL. Both are totally okay, and even desirable. We’ve become so accustomed to managing state in abstractions of the DOM that this seems like a crazy idea, but it has led to all kinds of pain points from complexity to, well, the DOM and URL not always reflecting the state of the application accurately. It’s pretty awful.

The better we can keep state out of abstractions without losing maintainability or performance, the better.

Why "should" it be done with JSON?

What are the other ways? XML inside the attribute value or splitting up in a bunch of data attributes?

Well it's hard to say because the OP didn't actually specify what state he's storing with JSON. Given we're talking about HTMX, all durable state should be server-side and client-side state should be generated by the server to round-trip back to the server, so it's not really clear why JSON should should be used here. Typically in this context, state is stored server-side, or client-side in input fields or in the URL as parameters (HATEOAS).