From bcce205430c526c19f138c3c3e3b24a3f19cd243 Mon Sep 17 00:00:00 2001
From: doug <doug.burks@gmail.com>
Date: Mon, 22 Feb 2021 13:00:14 -0500
Subject: [PATCH] Improve support for Suricata metadata #2200

---
 salt/elasticsearch/files/ingest/suricata.ftp | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/salt/elasticsearch/files/ingest/suricata.ftp b/salt/elasticsearch/files/ingest/suricata.ftp
index 7d29fa708..492bd97e9 100644
--- a/salt/elasticsearch/files/ingest/suricata.ftp
+++ b/salt/elasticsearch/files/ingest/suricata.ftp
@@ -1,14 +1,14 @@
 {
   "description" : "suricata.ftp",
   "processors" : [
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.ftp.reply", 		"target_field": "server.reply_message",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.ftp.completion_code", 		"target_field": "server.reply_code",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.ftp.reply_received", 		"target_field": "server.reply_received",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.ftp.command", 		"target_field": "ftp.command",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.ftp.command_data", 		"target_field": "ftp.command_data",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.ftp.dynamic_port", 		"target_field": "ftp.data_channel_destination.port",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.reply", 		"target_field": "server.reply_message",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.completion_code",	"target_field": "server.reply_code",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.reply_received", 	"target_field": "server.reply_received",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.command", 		"target_field": "ftp.command",				"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.command_data", 	"target_field": "ftp.argument",				"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ftp.dynamic_port", 	"target_field": "ftp.data_channel_destination.port",	"ignore_missing": true 	} },
     { "pipeline": { "name": "common" } }
   ]
 }