As already discussed in a previous thread, logstash in ecs.compatibility mode adds the event.original field to all events.
The proposed solution was to turn off ecs.compatibility. The problem is that disabling ecs.compatibility to only get rid of event.original makes the whole logstash plugins ecs incompatible as well.
From my point of view, the handling of event.original should be separated from ecs.compatibility mode. ECS only specifies the name and mapping of the field (unindexed keyword). But not if the field is present or not.
Please consider a change of the current behavior. One possible option would be to add the original message to the metadata, like @metadata.original. This way it could be renamed if needed or silently ignored if not. Having the field available by default unnecessarily inflates the size of the events and can even break stuff like the Azure Activity Log ingest Pipeline of the elastic integration.
Let's discuss