Multiple nested fields are missing from generated yml

[P1llus]

Dynamic ECS template tests and even manual ECS mappings for Elastic integrations are failing due to muliple fields missing from nested variations in the generated yml files (both nested and flat).

For example process.user.name is there, but not process.user.full_name, there seems to be many different variations are missing which is most likely pointing towards a bigger issue somewhere?

A few fields as an example that are missing:

[ebeahan]

TLDR: This behavior is intended, but the ECS docs need corrected for process.user.* and process.group.* to properly detail which nested fields are expected.

The Linux Event Model RFC as originally proposed would have introduced an excessive (at least in the 100s) amount of unused nested fields under process.* and process.parent.*. To avoid having to reinvent how the ECS generator handles field reuses, a global subset filter (implemented in #1847) limits field reuses to the ones explicitly used in the Linux Event Model/Session Viewer.

A schema attribute was added (short_override) for certain field reuses to customize their description and list which nested fields are explicitly in the description, like here: https://github.com/elastic/ecs/blob/main/schemas/process.yml#L58. The reuse descriptions for process.user.*, process.group.*, process.parent.user.*, etc. need updated to note which fields are reused.

Dynamic ECS template tests and even manual ECS mappings for Elastic integrations are failing due to muliple fields missing from nested variations in the generated yml files (both nested and flat).

If there are integrations that do need a field, like process.user.full_name, these fields can be added to the config and will appear in the schema: https://github.com/elastic/ecs/blob/main/schemas/subsets/main.yml#L179.

[mjwolf]

I've created this PR to add process.group, which is related to this