[Docs] Discuss patterns for ECS vs vendor prefixed fields in the Integrations Developer Guide

[chrisberkhout]

When mapping fields in integrations, we use ECS fields whenever possible, but there are several approaches to handling additional data:

• Put values without an ECS field under a vendor prefix.
• Put everything under a vendor prefix and copy values to ECS fields when possible.
• Put everything under a vendor prefix and copy values to ECS fields when possible, and have a policy option to drop vendor fields that have ECS equivalents.

A question that sometimes comes up is: should the vendor-prefixed fields follow the upstream data model as closely as possible, or should it follow the patterns used in ECS?

The best approach may depend on:

• How much of the available data matches ECS
• How valuable the non-ECS data is to users
• How many field there are
• The total volume of data

The Integrations Developer Guide could include a section that discusses these options and makes recommendations.

[chrisberkhout]

Related discussion: #10811 (comment)