[Fields Metadata] Update dependency @elastic/ecs to ^9.2.0 and optimize bundle

package.json

@@ -130,7 +130,7 @@
     "@elastic/charts": "71.1.2",
     "@elastic/datemath": "5.0.3",
     "@elastic/ebt": "1.4.1",
-    "@elastic/ecs": "9.0.0",
+    "@elastic/ecs": "9.2.0",
     "@elastic/elasticsearch": "9.2.0",
     "@elastic/ems-client": "8.6.3",
     "@elastic/eui": "112.3.0",

src/platform/packages/shared/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts

@@ -63,6 +63,12 @@ import {
 } from '@kbn/rule-data-utils';
 import type { MultiField } from './types';
 
+// ECS defines data_stream.* as constant_keyword, but alerts need them as regular keyword
+// since constant_keyword is excluded from ecsFieldMap (causes composite mapping conflicts).
+const DATA_STREAM_DATASET = 'data_stream.dataset' as const;
+const DATA_STREAM_NAMESPACE = 'data_stream.namespace' as const;
+const DATA_STREAM_TYPE = 'data_stream.type' as const;
+
 export const alertFieldMap = {
   [ALERT_ACTION_GROUP]: {
     type: 'keyword',
@@ -284,6 +290,7 @@ export const alertFieldMap = {
     type: 'unmapped',
     required: false,
   },
+  // ignore_above values must match ECS definitions to prevent composite mapping conflicts
   [EVENT_ACTION]: {
     type: 'keyword',
     array: false,
@@ -296,21 +303,39 @@ export const alertFieldMap = {
     required: false,
     ignore_above: 1024,
   },
+  // 32766 is Lucene's max term byte length - prevents "immense term" indexing errors
   [EVENT_ORIGINAL]: {
     type: 'keyword',
     array: false,
     required: false,
-    ignore_above: 1024,
+    ignore_above: 32766,
+  },
+  [DATA_STREAM_TYPE]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [DATA_STREAM_DATASET]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [DATA_STREAM_NAMESPACE]: {
+    type: 'keyword',
+    array: false,
+    required: false,
   },
   [SPACE_IDS]: {
     type: 'keyword',
     array: true,
     required: true,
   },
+  // ignore_above: 1024 matches ECS definition to prevent composite mapping conflicts
   [TAGS]: {
     type: 'keyword',
     array: true,
     required: false,
+    ignore_above: 1024,
   },
   [TIMESTAMP]: {
     type: 'date',

src/platform/packages/shared/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts

@@ -10,7 +10,10 @@
 import { EcsFlat } from '@elastic/ecs';
 import type { EcsMetadata, FieldMap } from './types';
 
-const EXCLUDED_TYPES = ['constant_keyword'];
+// These field types cause Elasticsearch "invalid composite mappings" errors when composing
+// index templates. constant_keyword conflicts with keyword overrides, while nested/flattened
+// types cannot be mixed with object mappings in component template composition.
+const EXCLUDED_TYPES = ['constant_keyword', 'nested', 'flattened'];
 
 // ECS fields that have reached Stage 2 in the RFC process
 // are included in the generated Yaml but are still considered
@@ -48,10 +51,24 @@ const EXPERIMENTAL_FIELDS = [
   'process.io.bytes',
 ];
 
+// Child fields of excluded parent types must also be excluded to prevent mapping conflicts.
+// E.g., if threat.enrichments is nested, all threat.enrichments.* children are also excluded.
+const EXCLUDED_PARENT_PATHS = Object.entries(EcsFlat)
+  .filter(([_, value]) => EXCLUDED_TYPES.includes(value.type))
+  .map(([key]) => key + '.');
+
+// Check if a field is a child of an excluded parent
+const isChildOfExcludedParent = (fieldKey: string): boolean => {
+  return EXCLUDED_PARENT_PATHS.some((parentPath) => fieldKey.startsWith(parentPath));
+};
+
 export const ecsFieldMap: FieldMap = Object.fromEntries(
   Object.entries(EcsFlat)
     .filter(
-      ([key, value]) => !EXCLUDED_TYPES.includes(value.type) && !EXPERIMENTAL_FIELDS.includes(key)
+      ([key, value]) =>
+        !EXCLUDED_TYPES.includes(value.type) &&
+        !EXPERIMENTAL_FIELDS.includes(key) &&
+        !isChildOfExcludedParent(key)
     )
     .map(([key, _]) => {
       const value: EcsMetadata = EcsFlat[key as keyof typeof EcsFlat];
@@ -70,3 +87,16 @@ export const ecsFieldMap: FieldMap = Object.fromEntries(
 );
 
 export type EcsFieldMap = typeof ecsFieldMap;
+
+/**
+ * A Set containing the names of ECS fields that have type 'nested'.
+ * This is exported separately from ecsFieldMap because nested fields are excluded
+ * from ecsFieldMap to prevent Elasticsearch composite mapping conflicts, but some
+ * code (like traverseAndMutateDoc) still needs to know which fields are nested
+ * to properly validate alert documents.
+ */
+export const ecsNestedFieldNames: ReadonlySet<string> = new Set(
+  Object.entries(EcsFlat)
+    .filter(([_, value]) => value.type === 'nested')
+    .map(([key]) => key)
+);

src/platform/packages/shared/kbn-alerts-as-data-utils/src/field_maps/legacy_alert_field_map.ts

@@ -185,6 +185,7 @@ export const legacyAlertFieldMap = {
     type: 'keyword',
     array: false,
     required: false,
+    ignore_above: 1024,
   },
 } as const;
 

src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/alert_schema.ts

@@ -83,6 +83,9 @@ const AlertRequired = rt.type({
 });
 // prettier-ignore
 const AlertOptional = rt.partial({
+  'data_stream.dataset': schemaString,
+  'data_stream.namespace': schemaString,
+  'data_stream.type': schemaString,
   'event.action': schemaString,
   'event.kind': schemaString,
   'event.original': schemaString,