I found the solution, it's not the field name that is at fault, in the logstash filter it's AttachmentDetails and ruby code it's attachmentDetails to store the json value.
The issue was that Logstash considers the field attachmentdetails as a string that is not a valid json, which explains why the ruby filter did not work, I added a section to parse the field with json filter before processing and it works.
if [AttachmentDetails] {
ruby {
code => '
require "json"
file_name = []
file_hash = []
file_verdict = []
file_size = []
attachment_details = event.get("AttachmentDetails")
if attachment_details
if attachment_details.is_a?(String)
attachment_details = JSON.parse(attachment_details)
end
attachment_details.each do |filename, file_details|
file_name << filename
if file_details && file_details["AMP"]
file_hash << file_details["AMP"]["fileHash"]
file_verdict << file_details["AMP"]["Verdict"]
else
file_hash << nil
file_verdict << nil
end
if file_details && file_details["BodyScanner"]
file_size << file_details["BodyScanner"]["fsize"]
else
file_size << nil
end
end
end
event.set("file_name", file_name)
event.set("file_hash", file_hash)
event.set("file_verdict", file_verdict)
event.set("file_size", file_size)
event.remove("AttachmentDetails")
'
}
}
Thanks @Badger 