From d1c0c0b7bc446d196b78130203f27f8d23297107 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Wed, 10 Nov 2021 21:34:24 -0500
Subject: [PATCH] Osquerybeat: Allow event.category to be set with ECS mapping
 to value (#28653) (#28913)

(cherry picked from commit 81771653a380b4486b965c961bda52845089c9b4)

Co-authored-by: Aleksandr Maus <aleksandr.maus@elastic.co>
---
 x-pack/osquerybeat/internal/pub/publisher.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/x-pack/osquerybeat/internal/pub/publisher.go b/x-pack/osquerybeat/internal/pub/publisher.go
index 0e3e0818e71c..fb01e5deae59 100644
--- a/x-pack/osquerybeat/internal/pub/publisher.go
+++ b/x-pack/osquerybeat/internal/pub/publisher.go
@@ -117,9 +117,17 @@ func hitToEvent(index, eventType, actionID, responseID string, hit map[string]in
 	}
 
 	// Add event.module for ECS
-	fields["event"] = map[string]string{
-		"module": eventModule,
+	// There could be already "event" properties set, preserve them and set the "event.module"
+	var evf map[string]interface{}
+	ievf, ok := fields["event"]
+	if ok {
+		evf, ok = ievf.(map[string]interface{})
 	}
+	if !ok {
+		evf = make(map[string]interface{})
+	}
+	evf["module"] = eventModule
+	fields["event"] = evf
 
 	fields["type"] = eventType
 	fields["action_id"] = actionID