I don't think this should change.

Make this depend on preserve_original_event?

The use case of this processor is users that want to ingest directly from Falco without the need of a Elastic agent, so they'd just install the integration assets. In this scenario, incoming events would not include the preserve_original_event tag so that's why I didn't add it as a dependency.

Matching ctx?.output_fields != null means that the event doesn't follow the format that Filebeat delivers, wrapping the entire event into message, and it follows the format that Falco Sidekick provides.

This is also why I didn't add test cases, in the context of the integration, I couldn't find a way to reproduce this format.

I don't think this is the right thing to do; toString gives a Java syntax representation of the value:

def a = [:];
a.a = 1;
a.b = 2;
a.c = "three";
a.toString();

{a=1, b=2, c=three}

We want something that renders the JSON. Json.dump works, though note that it does not canonicalise key order in my experience, so tests will be brittle.

def a = [:];
a.a = 1;
a.b = 2;
a.c = "three";
Json.dump(a);

{"a":1,"b":2,"c":"three"}

Alternatively, just retaining the actual original data.

Thanks for the suggestions. I've tried using Json.dump() and it works as you mentioned. I think it is ok that result doesn't follow canonical order as tests were not added for this use case.