From bc709dd67a051ff775bb19770080a6c73a68ab5f Mon Sep 17 00:00:00 2001
From: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
Date: Wed, 3 Apr 2024 11:31:30 +0300
Subject: [PATCH] fix(fim/ebpf): make container id event field ecs-compliant

---
 auditbeat/module/file_integrity/event.go       |  2 +-
 auditbeat/module/file_integrity/event_linux.go | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/auditbeat/module/file_integrity/event.go b/auditbeat/module/file_integrity/event.go
index e4e7a6198ca3..63463acbe0d3 100644
--- a/auditbeat/module/file_integrity/event.go
+++ b/auditbeat/module/file_integrity/event.go
@@ -402,7 +402,7 @@ func buildMetricbeatEvent(e *Event, existedBefore bool) mb.Event {
 	}
 
 	if e.ContainerID != "" {
-		file["container.id"] = e.ContainerID
+		out.MetricSetFields.Put("container.id", e.ContainerID)
 	}
 
 	if len(e.Hashes) > 0 {
diff --git a/auditbeat/module/file_integrity/event_linux.go b/auditbeat/module/file_integrity/event_linux.go
index 49f94b50da94..3f849e359b17 100644
--- a/auditbeat/module/file_integrity/event_linux.go
+++ b/auditbeat/module/file_integrity/event_linux.go
@@ -44,11 +44,11 @@ func NewEventFromEbpfEvent(
 ) (Event, bool) {
 	var (
 		path, target, cgroupPath string
-		action       Action
-		metadata     Metadata
-		process      Process
-		err          error
-		errors       = make([]error, 0)
+		action                   Action
+		metadata                 Metadata
+		process                  Process
+		err                      error
+		errors                   []error
 	)
 	switch ee.Type {
 	case ebpfevents.EventTypeFileCreate: