From 6f42ff34422ba1bf7e8c560a1cd7fb7da1fe63c9 Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Thu, 20 Nov 2025 14:16:49 -0600
Subject: [PATCH] suricata capture_file

---
 salt/elasticsearch/files/ingest/suricata.common | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common
index 5af35dc37..7b2dc7eeb 100644
--- a/salt/elasticsearch/files/ingest/suricata.common
+++ b/salt/elasticsearch/files/ingest/suricata.common
@@ -138,6 +138,13 @@
                 "ignore_failure": false
             }
         },
+        {
+            "rename": {
+                "field": "message2.capture_file",
+                "target_field": "suricata.capture_file",
+                "ignore_missing": true
+            }
+        },
         {
             "pipeline": {
                 "if": "ctx?.event?.dataset != null",