I'm pretty sure that event.to_hash gives you a multidimensional data structure, so there would be a key "data", not "[data][ecs]". But I think you would only need ruby for this kind of action if your target is the root level of the event (many threads for this, e.g.: Move subarrays to document root). If there is a target field, simply renaming your field should work:
mutate {
rename => {
"[data][ecs]" => "ecs"
}
}