Not exactly. The default for store_xml is true, so the complete XML document is parsed and stored in the target field (doc, in your case). [doc] is an object which has many objects nested inside it. So, based on an SCAP file I found online, it might contain a [doc][Benchmark][TestResult][rule-result][result][override][old-result] field that has a concrete value in it. But the 6 fields that parent it are all objects, not just fields.
For debugging purposes, set store_xml to false and verify the fields you are extracting with xpath look OK.
If this mapping [doc.Value.value]
is not obfuscated then that is the field that is causing the problem. Check the mapping of the index. Turn store_xml back on and replace the elasticsearch index with output { stdout { codec => rubydebug } }
and see that the format of [doc][Value] is.
See this post for ideas on how to reformat the data once you have decided whether you want it to be a concrete value or an object.