Fix base fields in ECS file (#9619)

So far the base fields of ECS were not read as they were nested under base. This brings them to the top level and resolves all the conflicts with field definitions in libbeat and other Beats.

auditbeat/docs/fields.asciidoc

@@ -2451,30 +2451,6 @@ type: alias
 
 alias to: event.timezone
 
---
-
-*`@timestamp`*::
-+
---
-type: date
-
-example: August 26th 2016, 12:35:53.332
-
-format: date
-
-required: True
-
-The timestamp when the event log record was generated.
-
-
---
-
-*`tags`*::
-+
---
-Arbitrary tags that can be set per Beat and per transaction type.
-
-
 --
 
 *`fields`*::
@@ -2738,136 +2714,129 @@ ECS fields.
 
 
 
-[float]
-== agent fields
-
-The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
-
-
-
-*`agent.version`*::
+*`@timestamp`*::
 +
 --
-type: keyword
+type: date
 
-example: 6.0.0-rc2
+example: 2016-05-23T08:05:34.853Z
 
-Version of the agent.
+required: True
+
+Date/time when the event originated.
+For log events this is the date/time when the event was generated, and not when it was read.
+Required field for all events.
 
 
 --
 
-*`agent.name`*::
+*`tags`*::
 +
 --
 type: keyword
 
-example: foo
+example: ["production", "env2"]
 
-Name of the agent.
-This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.
-If no name is given, the name is often left empty.
+List of keywords used to tag each event.
 
 
 --
 
-*`agent.type`*::
+*`labels`*::
 +
 --
-type: keyword
+type: object
 
-example: filebeat
+example: {'application': 'foo-bar', 'env': 'production'}
 
-Type of the agent.
-The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
+Key/value pairs.
+Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.
+Example: `docker` and `k8s` labels.
 
 
 --
 
-*`agent.id`*::
+*`message`*::
 +
 --
-type: keyword
+type: text
 
-example: 8a4f500d
+example: Hello World
 
-Unique identifier of this agent (if one exists).
-Example: For Beats this would be beat.id.
+For log events the message field contains the log message.
+In other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message.
 
 
 --
 
-*`agent.ephemeral_id`*::
-+
---
-type: keyword
+[float]
+== agent fields
 
-example: 8a4f500f
+The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
 
-Ephemeral identifier of this agent (if one exists).
-This id normally changes across restarts, but `agent.id` does not.
 
 
+*`agent.version`*::
++
 --
+type: keyword
 
-[float]
-== base fields
+example: 6.0.0-rc2
 
-The base set contains all fields which are on the top level. These fields are common across all types of events.
+Version of the agent.
 
 
+--
 
-*`base.@timestamp`*::
+*`agent.name`*::
 +
 --
-type: date
-
-example: 2016-05-23T08:05:34.853Z
+type: keyword
 
-required: True
+example: foo
 
-Date/time when the event originated.
-For log events this is the date/time when the event was generated, and not when it was read.
-Required field for all events.
+Name of the agent.
+This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.
+If no name is given, the name is often left empty.
 
 
 --
 
-*`base.tags`*::
+*`agent.type`*::
 +
 --
 type: keyword
 
-example: ["production", "env2"]
+example: filebeat
 
-List of keywords used to tag each event.
+Type of the agent.
+The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
 
 
 --
 
-*`base.labels`*::
+*`agent.id`*::
 +
 --
-type: object
+type: keyword
 
-example: {'application': 'foo-bar', 'env': 'production'}
+example: 8a4f500d
 
-Key/value pairs.
-Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.
-Example: `docker` and `k8s` labels.
+Unique identifier of this agent (if one exists).
+Example: For Beats this would be beat.id.
 
 
 --
 
-*`base.message`*::
+*`agent.ephemeral_id`*::
 +
 --
-type: text
+type: keyword
 
-example: Hello World
+example: 8a4f500f
 
-For log events the message field contains the log message.
-In other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message.
+Ephemeral identifier of this agent (if one exists).
+This id normally changes across restarts, but `agent.id` does not.
 
 
 --

filebeat/_meta/fields.common.yml

@@ -23,13 +23,6 @@
       description: >
         The file offset the reported line starts at.
 
-    - name: message
-      type: text
-      ignore_above: 0
-      required: true
-      description: >
-        The content of the line read from the log file.
-
     - name: stream
       type: keyword
       required: false