Logstash Nested Fields - Cloudtrail logs - No root field

Hello all,

First of all I'm running version 7.10.2 on a docker.

I have some cloudtrail logs stored as .gz that I'm reading and after parsing I'm renaming the Records fields and build the different nested fields. When I try to see them in Kibana it is not under the root field.

Logstash config:

input {
    file {
        path => "/tmp/*.gz"
        mode => "read"
        sincedb_path => "/dev/null"
    }
}

filter {
  json  {
     source => "message"
  }
  split {
     field => "Records"
  }

   date {
     match => ["[Records][eventTime]", "ISO8601"]
     target => "@timestamp"
     remove_field => ["message", "host", "path"]
   }

    mutate {
     rename => {"[Records][requestID]" => "requestID"}
     rename => {"[Records][eventVersion]" => "eventVersion"}
     rename => {"[Records][sharedEventID]" => "sharedEventID"}
     rename => {"[Records][eventSource]" => "eventSource"}
     rename => {"[Records][eventTime]" => "eventTime"}
     rename => {"[Records][eventID]" => "eventID"}
     rename => {"[Records][userIdentity]" => "userIdentity"}
     rename => {"[Records][awsRegion]" => "awsRegion"}
     rename => {"[Records][resources]" => "resources"}
     rename => {"[Records][eventType]" => "eventType"}
     rename => {"[Records][responseElements]" => "responseElements"}
     rename => {"[Records][assumedRoleUser]" => "assumedRoleUser"}
     rename => {"[Records][sourceIPAddress]" => "sourceIPAddress"}
     rename => {"[Records][eventName]" => "eventName"}
     rename => {"[Records][userAgent]" => "userAgent"}
     rename => {"[Records][recipientAccountId]" => "recipientAccountId"}
     rename => {"[Records][requestParameters]" => "requestParameters"}
     rename => {"[Records][readOnly]" => "readOnly"}
     rename => {"[Records][additionalEventData]" => "additionalEventData"}
     rename => {"[Records][apiVersion]" => "apiVersion"}
     rename => {"[Records][errorCode]" => "errorCode"}
     rename => {"[Records][errorMessage]" => "errorMessage"}
     rename => {"[Records][managementEvent]" => "managementEvent"}
     rename => {"[Records][vpcEndpointId]" => "vpcEndpointId"}
     }
}



}
 
output {
#    stdout { codec => rubydebug }
    elasticsearch {
        hosts => 'http://localhost:9200'
        index => 'cloudtrail-2022'
    }
} 

I know that after doing this fields like userIdentity are nested fields. I tried forcing the mapping but still didn't work:

{
"properties": {
  "userIdentity": {
    "type": "nested",
    "properties" : {
      "accessKeyId" : {"type" : "keyword" },
      "accountId" : { "type" : "keyword"},
      "arn" : { "type" : "keyword"},
      "identityProvider" : { "type" : "keyword"},
      "invokedBy" : { "type" : "keyword"},
      "principalId" : { "type" : "keyword"},
      "type" : { "type" : "keyword"},
      "userName" : { "type" : "keyword"},
      "sessionContext" : {
        "type" : "nested",
        "properties" : {
            "attributes" : {
                "type" : "nested",
                "properties" : {
                    "mfaAuthenticated" : { "type" : "keyword"}
                }
            },
            "sessionIssuer" : {
                "type" : "nested",
                    "properties" : {
                        "accountId" : { "type" : "keyword"},
                        "arn" : { "type" : "keyword"},
                        "principalId" : { "type" : "keyword"},
                        "type" : { "type" : "keyword"},
                        "userName" : { "type" : "keyword"}
                    }
            }
        }
      }
    }
    }
  }
}

Below you have the kibana screenshot.

I would like to have some guidance on this.
Thanks in advance for your help.

Best Regards.
Pedro Cabral