elastic · andrewstucki · Jun 18, 2020 · Jun 12, 2020 · Jun 12, 2020 · Jun 12, 2020
diff --git a/packetbeat/pb/ecs.go b/packetbeat/pb/ecs.go
@@ -17,40 +17,42 @@
 
 package pb
 
-import "time"
+import (
+	"github.com/elastic/ecs/code/go/ecs"
+)
+
+// Fixes for non-array datatypes
+// =============================
+//
+// Code at github.com/elastic/ecs/code/go/ecs has some fields as string
+// when they should be []string.
+//
+// Once the code generator is fixed, this code will no longer compile
+// which reminds us to strip out the overrides below
+var (
+	compileTimeUpgradeCheckEvent = ecs.Event{
+		Type: "remove this when we upgrade ECS",
+	}
+	compileTimeUpgradeCheckRelated = ecs.Related{
+		User: "remove this when we upgrade ECS",
+	}
+)
 
 type ecsEvent struct {
-	ID   string `ecs:"id"`
-	Code string `ecs:"code"`
-	Kind string `ecs:"kind"`
+	ecs.Event `ecs:",inline"`
 	// overridden because this needs to be an array
 	Category []string `ecs:"category"`
-	Action   string   `ecs:"action"`
-	Outcome  string   `ecs:"outcome"`
 	// overridden because this needs to be an array
-	Type          []string      `ecs:"type"`
-	Module        string        `ecs:"module"`
-	Dataset       string        `ecs:"dataset"`
-	Provider      string        `ecs:"provider"`
-	Severity      int64         `ecs:"severity"`
-	Original      string        `ecs:"original"`
-	Hash          string        `ecs:"hash"`
-	Duration      time.Duration `ecs:"duration"`
-	Sequence      int64         `ecs:"sequence"`
-	Timezone      string        `ecs:"timezone"`
-	Created       time.Time     `ecs:"created"`
-	Start         time.Time     `ecs:"start"`
-	End           time.Time     `ecs:"end"`
-	RiskScore     float64       `ecs:"risk_score"`
-	RiskScoreNorm float64       `ecs:"risk_score_norm"`
-	Ingested      time.Time     `ecs:"ingested"`
-	Reference     string        `ecs:"reference"`
-	Url           string        `ecs:"url"`
+	Type []string `ecs:"type"`
 }
 
 type ecsRelated struct {
-	IP   []string `ecs:"ip"`
+	ecs.Related `ecs:",inline"`
+	// overridden because this needs to be an array
+	IP []string `ecs:"ip"`
+	// overridden because this needs to be an array
 	User []string `ecs:"user"`
+	// overridden because this needs to be an array
 	Hash []string `ecs:"hash"`
 
 	// for de-dup

diff --git a/packetbeat/pb/event.go b/packetbeat/pb/event.go
@@ -18,8 +18,10 @@
 package pb
 
 import (
+	"fmt"
 	"net"
 	"reflect"
+	"strings"
 	"time"
 
 	"github.com/pkg/errors"
@@ -74,8 +76,10 @@ type Fields struct {
 func NewFields() *Fields {
 	return &Fields{
 		Event: ecsEvent{
-			Duration: -1,
-			Kind:     "event",
+			Event: ecs.Event{
+				Duration: -1,
+				Kind:     "event",
+			},
 			Type:     []string{"connection", "protocol"},
 			Category: []string{"network_traffic", "network"},
 		},
@@ -336,13 +340,33 @@ func marshalStruct(m common.MapStr, key string, val reflect.Value) error {
 			break
 		}
 
+		inline := false
+		tags := strings.Split(tag, ",")
+		if len(tags) > 1 {
+			for _, flag := range tags[1:] {
+				switch flag {
+				case "inline":
+					inline = true
+				default:
+					return fmt.Errorf("Unsupported flag %q in tag %q of type %s", flag, tag, typ)
+				}
+			}
+			tag = tags[0]
+		}
+
 		fieldValue := val.Field(i)
 		if !fieldValue.IsValid() || isEmptyValue(fieldValue) {
 			continue
 		}
 
-		if _, err := m.Put(key+"."+tag, fieldValue.Interface()); err != nil {
-			return err
+		if inline {
+			if err := marshalStruct(m, key, fieldValue); err != nil {
+				return err
+			}
+		} else {
+			if _, err := m.Put(key+"."+tag, fieldValue.Interface()); err != nil {
+				return err
+			}
 		}
 	}
 	return nil