The problem with DATA is that it can match as much or as little as it wants. In this case it is matching nothing, as you will see if you add
keep_empty_captures => true
to your grok filter, which will result in you getting
"domain" => "",
Try
grok { match => { "teste3" => "%{IPV4:CC}%{SPACE}%{WORD}:%{SPACE}%{NOTSPACE:domain}" } }
HOSTNAME is another option instead of NOTSPACE.