From 619402cc671bde3c99b4473d11d8effd37ddb752 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 3 May 2021 17:03:30 +0000
Subject: [PATCH] Add event_data to common template so elastalert/playbook
 event_data fields can be indexed and searchable

---
 salt/elasticsearch/templates/so/so-common-template.json | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json
index c1f0a6755..8adbdcf13 100644
--- a/salt/elasticsearch/templates/so/so-common-template.json
+++ b/salt/elasticsearch/templates/so/so-common-template.json
@@ -228,7 +228,11 @@
         "event":{
           "type":"object",
           "dynamic": true
-        }, 
+        },
+        "event_data":{
+          "type":"object",
+          "dynamic": true
+        },	
         "file":{
           "type":"object",
           "dynamic": true