Suricata: Rename event.type to suricata.eve.event_type (#10575)

`event.type` is reserved for future use in ECS. Fallback to the original
Suricata field.

This undoes a previous aliasing to `event.type` in 7.0.

Also sets `event.kind` to `event`.

CHANGELOG.next.asciidoc

@@ -84,6 +84,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
   still used for matcher. {issue}10505[10505] {pull}10506[10506]
 - Change type of haproxy.source from text to keyword. {pull}10506[10506]
 - Populate more ECS fields in the Suricata module. {pull}10006[10006]
+- Rename `event.type` to `suricata.eve.event_type` in Suricata module because event.type is reserved for future use by ECS. {pull}10575[10575]
 
 *Heartbeat*
 

dev-tools/ecs-migration.yml

@@ -349,11 +349,6 @@
   alias: true
   beat: filebeat
 
-- from: suricata.eve.event_type
-  to: event.type
-  alias: true
-  beat: filebeat
-
 - from: suricata.eve.fileinfo.filename
   to: file.path
   alias: true
@@ -444,6 +439,12 @@
   alias: true
   beat: filebeat
 
+- from: event.type
+  to: suricata.eve.event_type
+  alias: false
+  beat: auditbeat
+  comment: event.type is reserved for future use by ECS.
+
 ## System module
 
 - from: system.syslog.hostname

filebeat/docs/fields.asciidoc

@@ -11324,9 +11324,7 @@ Fields exported by the EVE JSON logs
 *`suricata.eve.event_type`*::
 +
 --
-type: alias
-
-alias to: event.type
+type: keyword
 
 --
 

x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Alert-Overview.json

@@ -246,7 +246,7 @@
                   "alias": null,
                   "disabled": false,
                   "index": "filebeat-*",
-                  "key": "event.type",
+                  "key": "suricata.eve.event_type",
                   "negate": false,
                   "params": {
                     "query": "alert",
@@ -257,7 +257,7 @@
                 },
                 "query": {
                   "match": {
-                    "event.type": {
+                    "suricata.eve.event_type": {
                       "query": "alert",
                       "type": "phrase"
                     }

x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Overview.json

@@ -42,7 +42,7 @@
               "enabled": true,
               "id": "3",
               "params": {
-                "field": "event.type",
+                "field": "suricata.eve.event_type",
                 "missingBucket": false,
                 "missingBucketLabel": "Missing",
                 "order": "desc",
@@ -161,7 +161,7 @@
               "enabled": true,
               "id": "2",
               "params": {
-                "field": "event.type",
+                "field": "suricata.eve.event_type",
                 "missingBucket": false,
                 "missingBucketLabel": "Missing",
                 "order": "desc",
@@ -396,7 +396,7 @@
       "attributes": {
         "columns": [
           "host.name",
-          "event.type",
+          "suricata.eve.event_type",
           "suricata.eve.flow_id",
           "network.transport",
           "source.ip",
@@ -419,7 +419,7 @@
                   "alias": null,
                   "disabled": false,
                   "index": "filebeat-*",
-                  "key": "event.type",
+                  "key": "suricata.eve.event_type",
                   "negate": true,
                   "params": {
                     "query": "stats",
@@ -430,7 +430,7 @@
                 },
                 "query": {
                   "match": {
-                    "event.type": {
+                    "suricata.eve.event_type": {
                       "query": "stats",
                       "type": "phrase"
                     }
@@ -691,7 +691,7 @@
                   "alias": null,
                   "disabled": false,
                   "index": "filebeat-*",
-                  "key": "event.type",
+                  "key": "suricata.eve.event_type",
                   "negate": false,
                   "params": {
                     "query": "stats",
@@ -702,7 +702,7 @@
                 },
                 "query": {
                   "match": {
-                    "event.type": {
+                    "suricata.eve.event_type": {
                       "query": "stats",
                       "type": "phrase"
                     }

x-pack/filebeat/module/suricata/eve/_meta/fields.yml

@@ -4,8 +4,7 @@
     Fields exported by the EVE JSON logs
   fields:
     - name: event_type
-      type: alias
-      path: event.type
+      type: keyword
 
     - name: app_proto_orig
       type: keyword

x-pack/filebeat/module/suricata/eve/ingest/pipeline.json

@@ -124,7 +124,6 @@
         {
             "lowercase": {
                 "field": "suricata.eve.event_type",
-                "target_field": "event.type",
                 "ignore_missing": true
             }
         },
@@ -244,7 +243,6 @@
             "remove": {
                 "field": [
                     "suricata.eve.app_proto",
-                    "suricata.eve.event_type",
                     "suricata.eve.flow.end",
                     "suricata.eve.flow.start",
                     "suricata.eve.http.http_method",
@@ -254,6 +252,12 @@
                 ],
                 "ignore_missing": true
             }
+        },
+        {
+            "set": {
+                "field": "event.kind",
+                "value": "event"
+            }
         }
     ],
     "on_failure": [