From b43431c0ade1f5deade8ff9371597b317d502ec4 Mon Sep 17 00:00:00 2001
From: Maxwell Borden <maxwellborden@gmail.com>
Date: Mon, 22 Aug 2022 11:07:26 -0700
Subject: [PATCH 1/2] Changed type of process.env_vars to show shadowing

Updated the type of process.env_vars to be an array of string keywords
to support shadowed variables, i.e. duplicated names with different
values.
---
 schemas/process.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/schemas/process.yml b/schemas/process.yml
index b4a148222c..497f7d4095 100644
--- a/schemas/process.yml
+++ b/schemas/process.yml
@@ -280,15 +280,17 @@
 
     - name: env_vars
       level: extended
-      type: object
+      type: keyword
       beta: This field is beta and subject to change.
-      short: Environment variables set at the time of the event.
+      short: Array of environment variable bindings.
       description: >
-        Environment variables (`env_vars`) set at the time of the event.
-        May be filtered to protect sensitive information.
+        Array of environment variable bindings.
+        Captured from a snapshot of the environment at the time of execution.
 
-        The field should not contain nested objects. All values should use `keyword`.
-      example: "{\"USER\": \"elastic\",\"LANG\": \"en_US.UTF-8\",\"HOME\": \"/home/elastic\"}"
+        May be filtered to protect sensitive information.
+      example: "[\"PATH=/usr/local/bin:/usr/bin\", \"USER=ubuntu\"]"
+      normalize:
+        - array
 
     - name: entry_meta.type
       level: extended

From af6d9b325f7c1fb83bf3d9c4272057a6e878620d Mon Sep 17 00:00:00 2001
From: Maxwell Borden <maxwellborden@gmail.com>
Date: Wed, 24 Aug 2022 10:26:00 -0700
Subject: [PATCH 2/2] updated CHANGELOG.next.md

---
 CHANGELOG.next.md                                |  2 ++
 docs/fields/field-details.asciidoc               | 11 +++++++----
 experimental/generated/beats/fields.ecs.yml      | 11 ++++++-----
 experimental/generated/csv/fields.csv            |  2 +-
 experimental/generated/ecs/ecs_flat.yml          | 16 +++++++++-------
 experimental/generated/ecs/ecs_nested.yml        | 16 +++++++++-------
 .../composable/component/process.json            |  3 ++-
 .../generated/elasticsearch/legacy/template.json |  3 ++-
 generated/beats/fields.ecs.yml                   | 11 ++++++-----
 generated/csv/fields.csv                         |  2 +-
 generated/ecs/ecs_flat.yml                       | 16 +++++++++-------
 generated/ecs/ecs_nested.yml                     | 16 +++++++++-------
 .../composable/component/process.json            |  3 ++-
 generated/elasticsearch/legacy/template.json     |  3 ++-
 14 files changed, 67 insertions(+), 48 deletions(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index b6915aeb5a..a76fa6262a 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -38,6 +38,8 @@ Thanks, you're awesome :-) -->
 
 ## 8.5.0 (Soft Feature Freeze)
 
+* Changed `process.env_vars` field type to be an array of keywords. #2038
+
 ### Schema Changes
 
 #### Breaking changes
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
index 9003b023f2..a79f89ae41 100644
--- a/docs/fields/field-details.asciidoc
+++ b/docs/fields/field-details.asciidoc
@@ -7350,15 +7350,18 @@ type: keyword
 
 a| beta:[ This field is beta and subject to change. ]
 
-Environment variables (`env_vars`) set at the time of the event. May be filtered to protect sensitive information.
+Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.
 
-The field should not contain nested objects. All values should use `keyword`.
+May be filtered to protect sensitive information.
 
-type: object
+type: keyword
+
+
+Note: this field should contain an array of values.
 
 
 
-example: `{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}`
+example: `["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]`
 
 | extended
 
diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
index aeee63a4e2..c857369ed9 100644
--- a/experimental/generated/beats/fields.ecs.yml
+++ b/experimental/generated/beats/fields.ecs.yml
@@ -5549,12 +5549,13 @@
       default_field: false
     - name: env_vars
       level: extended
-      type: object
-      description: 'Environment variables (`env_vars`) set at the time of the event.
-        May be filtered to protect sensitive information.
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
 
-        The field should not contain nested objects. All values should use `keyword`.'
-      example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}'
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
       default_field: false
     - name: executable
       level: extended
diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
index 1356a9c466..b9ea06c02d 100644
--- a/experimental/generated/csv/fields.csv
+++ b/experimental/generated/csv/fields.csv
@@ -613,7 +613,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
 8.6.0-dev+exp,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.6.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.6.0-dev+exp,true,process,process.env_vars,object,extended,,"{""USER"": ""elastic"",""LANG"": ""en_US.UTF-8"",""HOME"": ""/home/elastic""}",Environment variables set at the time of the event.
+8.6.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 8.6.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.6.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.6.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index c80f99e9d6..1127d55c7f 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -7947,17 +7947,19 @@ process.entry_leader.working_directory:
 process.env_vars:
   beta: This field is beta and subject to change.
   dashed_name: process-env-vars
-  description: 'Environment variables (`env_vars`) set at the time of the event. May
-    be filtered to protect sensitive information.
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
 
-    The field should not contain nested objects. All values should use `keyword`.'
-  example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}'
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
   flat_name: process.env_vars
+  ignore_above: 1024
   level: extended
   name: env_vars
-  normalize: []
-  short: Environment variables set at the time of the event.
-  type: object
+  normalize:
+  - array
+  short: Array of environment variable bindings.
+  type: keyword
 process.executable:
   dashed_name: process-executable
   description: Absolute path to the process executable.
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index f5b9e97dc1..8dfc6c4370 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -9668,17 +9668,19 @@ process:
     process.env_vars:
       beta: This field is beta and subject to change.
       dashed_name: process-env-vars
-      description: 'Environment variables (`env_vars`) set at the time of the event.
-        May be filtered to protect sensitive information.
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
 
-        The field should not contain nested objects. All values should use `keyword`.'
-      example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}'
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
       flat_name: process.env_vars
+      ignore_above: 1024
       level: extended
       name: env_vars
-      normalize: []
-      short: Environment variables set at the time of the event.
-      type: object
+      normalize:
+      - array
+      short: Array of environment variable bindings.
+      type: keyword
     process.executable:
       dashed_name: process-executable
       description: Absolute path to the process executable.
diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
index b480c995e8..3d198e115c 100644
--- a/experimental/generated/elasticsearch/composable/component/process.json
+++ b/experimental/generated/elasticsearch/composable/component/process.json
@@ -403,7 +403,8 @@
               }
             },
             "env_vars": {
-              "type": "object"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "executable": {
               "fields": {
diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json
index af8a93e97c..be2b16996b 100644
--- a/experimental/generated/elasticsearch/legacy/template.json
+++ b/experimental/generated/elasticsearch/legacy/template.json
@@ -2923,7 +2923,8 @@
             }
           },
           "env_vars": {
-            "type": "object"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "executable": {
             "fields": {
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 7b29dbd6b4..a252c8258d 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -5453,12 +5453,13 @@
       default_field: false
     - name: env_vars
       level: extended
-      type: object
-      description: 'Environment variables (`env_vars`) set at the time of the event.
-        May be filtered to protect sensitive information.
+      type: keyword
+      ignore_above: 1024
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
 
-        The field should not contain nested objects. All values should use `keyword`.'
-      example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}'
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
       default_field: false
     - name: executable
       level: extended
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index cc4baa9974..af5a8eda2b 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -600,7 +600,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0-dev,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
 8.6.0-dev,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process.
 8.6.0-dev,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
-8.6.0-dev,true,process,process.env_vars,object,extended,,"{""USER"": ""elastic"",""LANG"": ""en_US.UTF-8"",""HOME"": ""/home/elastic""}",Environment variables set at the time of the event.
+8.6.0-dev,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
 8.6.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.6.0-dev,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
 8.6.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process.
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 55d0dcd98b..d89882262d 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -7798,17 +7798,19 @@ process.entry_leader.working_directory:
 process.env_vars:
   beta: This field is beta and subject to change.
   dashed_name: process-env-vars
-  description: 'Environment variables (`env_vars`) set at the time of the event. May
-    be filtered to protect sensitive information.
+  description: 'Array of environment variable bindings. Captured from a snapshot of
+    the environment at the time of execution.
 
-    The field should not contain nested objects. All values should use `keyword`.'
-  example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}'
+    May be filtered to protect sensitive information.'
+  example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
   flat_name: process.env_vars
+  ignore_above: 1024
   level: extended
   name: env_vars
-  normalize: []
-  short: Environment variables set at the time of the event.
-  type: object
+  normalize:
+  - array
+  short: Array of environment variable bindings.
+  type: keyword
 process.executable:
   dashed_name: process-executable
   description: Absolute path to the process executable.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index ed94f30d11..47cd60cbe4 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -9504,17 +9504,19 @@ process:
     process.env_vars:
       beta: This field is beta and subject to change.
       dashed_name: process-env-vars
-      description: 'Environment variables (`env_vars`) set at the time of the event.
-        May be filtered to protect sensitive information.
+      description: 'Array of environment variable bindings. Captured from a snapshot
+        of the environment at the time of execution.
 
-        The field should not contain nested objects. All values should use `keyword`.'
-      example: '{"USER": "elastic","LANG": "en_US.UTF-8","HOME": "/home/elastic"}'
+        May be filtered to protect sensitive information.'
+      example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]'
       flat_name: process.env_vars
+      ignore_above: 1024
       level: extended
       name: env_vars
-      normalize: []
-      short: Environment variables set at the time of the event.
-      type: object
+      normalize:
+      - array
+      short: Array of environment variable bindings.
+      type: keyword
     process.executable:
       dashed_name: process-executable
       description: Absolute path to the process executable.
diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json
index 2562eec8c4..c117fc17a4 100644
--- a/generated/elasticsearch/composable/component/process.json
+++ b/generated/elasticsearch/composable/component/process.json
@@ -403,7 +403,8 @@
               }
             },
             "env_vars": {
-              "type": "object"
+              "ignore_above": 1024,
+              "type": "keyword"
             },
             "executable": {
               "fields": {
diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json
index 7b06a421b7..d14a1e8026 100644
--- a/generated/elasticsearch/legacy/template.json
+++ b/generated/elasticsearch/legacy/template.json
@@ -2857,7 +2857,8 @@
             }
           },
           "env_vars": {
-            "type": "object"
+            "ignore_above": 1024,
+            "type": "keyword"
           },
           "executable": {
             "fields": {