Thank you Steffens,
using your "rename" solution seems to do the job.
at least, I guess because now, I've another issue concerning the invalid @timestamp format and the 'error' field 
anyway,
I opened a github issue for the @timestamp format,
and another discussion about the "error" field.
Hm..., can
hostin your JSON document differ from the host filebeat runs on? If not then we don't need the initialrenameordecode_jsonprocessors. Just migrate tohost.name(remember, ECS), or use the global rename process to movehost.nametohost.
I think it differs.
from what I see in metricbeat, beat.host is supposed to be the short-name, in my log file, host is the long name (more like beat.hostname).
I will look at the default filebeat template, 4556 lines, THAT is huge.
thank you for everything