The message
field is like a default field. It's where most input plugins place the payload that they receive from the network, read from a file, or whatever. So no, it's not just a convention.
In many log formats the message field starts with a timestamp, maybe a severity level, possibly a hostname, and so on, and ends with the actual message. In such cases one typically extract the timestamp etc into fields of their own and remove them from the message
field. In other cases like HTTP logs there is no free-text message.