These two journalbeat translated fields for the Docker --log-driver=journald messages seem wrong:
conatiner.id_truncated is typo'd (also in git master): https://github.com/elastic/beats/blob/v6.5.4/journalbeat/reader/fields.go#L83
container.image.tag from CONTAINER_TAG seems wrong per the ECS spec: it's not the tag part of the container image, it's whatever gets configured via docker run --log-opt tag=.... It defaults to the truncated container ID, although you could configure it to be e.g. --log-opt 'tag={{.ImageName}}' - but even that would give you the full image reference (REPO/IMAGE:TAG), not just the tag.
For my setup, I've configured logstash with mutate { replace => { "[container][image][tag]" => "[container][tag]" } } as a workaround, because most of my filter rules are based on the CONTAINER_TAG, and it doesn't make any sense to mix those up with the actual [container][image][tag] that might be gathered by something like the Docker metadata processor.