In this context, think of JSON objects as namespaces. Related information gets stored under a common root, which makes it easier for humans to identify which bits of the data belong together.
Functionally and performance-wise these 3 are equivalent:
"source_ip": "10.20.30.40""source.ip": "10.20.30.40""source": { "ip": "10.20.30.40"}
The 3rd option groups the related fields in the _source of a document and makes it easier to read, IMO.