WIP Update the HTTP field set with ECS definitions as of beta 2 (#9645)

- Introduces fields for http size metrics
- HTTP body field is now nested deeper:
  - `http.request.body` moves to `http.request.body.content`
  - `http.response.body` moves to `http.response.body.content`
  - packetbeat has been adjusted accordingly
- Introduces missing field definition updates (mainly to lowercase `method`)
- Unrelated: delete `x-pack/auditbeat/include/fields.go` which should have been deleted in #9724.

CHANGELOG.asciidoc

@@ -35,6 +35,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Packetbeat*
 
+- Adjust Packetbeat `http` fields to ECS Beta 2 {pull}9645[9645]
+  - `http.request.body` moves to `http.request.body.content`
+  - `http.response.body` moves to `http.response.body.content`
+
 *Winlogbeat*
 
 *Functionbeat*
@@ -67,6 +71,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Affecting all Beats*
 
+- Update field definitions for `http` to ECS Beta 2 {pull}9645[9645]
+
 *Auditbeat*
 
 - Add system module. {pull}9546[9546]

auditbeat/docs/fields.asciidoc

@@ -4071,9 +4071,22 @@ Fields related to HTTP activity.
 --
 type: keyword
 
-example: GET, POST, PUT
+example: get, post, put
 
 Http request method.
+The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS"  section.
+
+
+--
+
+*`http.request.body.content`*::
++
+--
+type: keyword
+
+example: Hello world
+
+The full http request body.
 
 
 --
@@ -4102,7 +4115,7 @@ Http response status code.
 
 --
 
-*`http.response.body`*::
+*`http.response.body.content`*::
 +
 --
 type: keyword
@@ -4124,6 +4137,54 @@ example: 1.1
 Http version.
 
 
+--
+
+*`http.request.bytes`*::
++
+--
+type: long
+
+example: 1437
+
+Total size in bytes of the request (body and headers).
+
+
+--
+
+*`http.request.body.bytes`*::
++
+--
+type: long
+
+example: 887
+
+Size in bytes of the request body.
+
+
+--
+
+*`http.response.bytes`*::
++
+--
+type: long
+
+example: 1437
+
+Total size in bytes of the response (body and headers).
+
+
+--
+
+*`http.response.body.bytes`*::
++
+--
+type: long
+
+example: 887
+
+Size in bytes of the response body.
+
+
 --
 
 [float]

filebeat/docs/fields.asciidoc

@@ -2097,9 +2097,22 @@ Fields related to HTTP activity.
 --
 type: keyword
 
-example: GET, POST, PUT
+example: get, post, put
 
 Http request method.
+The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS"  section.
+
+
+--
+
+*`http.request.body.content`*::
++
+--
+type: keyword
+
+example: Hello world
+
+The full http request body.
 
 
 --
@@ -2128,7 +2141,7 @@ Http response status code.
 
 --
 
-*`http.response.body`*::
+*`http.response.body.content`*::
 +
 --
 type: keyword
@@ -2150,6 +2163,54 @@ example: 1.1
 Http version.
 
 
+--
+
+*`http.request.bytes`*::
++
+--
+type: long
+
+example: 1437
+
+Total size in bytes of the request (body and headers).
+
+
+--
+
+*`http.request.body.bytes`*::
++
+--
+type: long
+
+example: 887
+
+Size in bytes of the request body.
+
+
+--
+
+*`http.response.bytes`*::
++
+--
+type: long
+
+example: 1437
+
+Total size in bytes of the response (body and headers).
+
+
+--
+
+*`http.response.body.bytes`*::
++
+--
+type: long
+
+example: 887
+
+Size in bytes of the response body.
+
+
 --
 
 [float]

heartbeat/docs/fields.asciidoc

@@ -1662,9 +1662,22 @@ Fields related to HTTP activity.
 --
 type: keyword
 
-example: GET, POST, PUT
+example: get, post, put
 
 Http request method.
+The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS"  section.
+
+
+--
+
+*`http.request.body.content`*::
++
+--
+type: keyword
+
+example: Hello world
+
+The full http request body.
 
 
 --
@@ -1693,7 +1706,7 @@ Http response status code.
 
 --
 
-*`http.response.body`*::
+*`http.response.body.content`*::
 +
 --
 type: keyword
@@ -1715,6 +1728,54 @@ example: 1.1
 Http version.
 
 
+--
+
+*`http.request.bytes`*::
++
+--
+type: long
+
+example: 1437
+
+Total size in bytes of the request (body and headers).
+
+
+--
+
+*`http.request.body.bytes`*::
++
+--
+type: long
+
+example: 887
+
+Size in bytes of the request body.
+
+
+--
+
+*`http.response.bytes`*::
++
+--
+type: long
+
+example: 1437
+
+Total size in bytes of the response (body and headers).
+
+
+--
+
+*`http.response.body.bytes`*::
++
+--
+type: long
+
+example: 887
+
+Size in bytes of the response body.
+
+
 --
 
 [float]

journalbeat/docs/fields.asciidoc

@@ -1943,9 +1943,22 @@ Fields related to HTTP activity.
 --
 type: keyword
 
-example: GET, POST, PUT
+example: get, post, put
 
 Http request method.
+The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS"  section.
+
+
+--
+
+*`http.request.body.content`*::
++
+--
+type: keyword
+
+example: Hello world
+
+The full http request body.
 
 
 --
@@ -1974,7 +1987,7 @@ Http response status code.
 
 --
 
-*`http.response.body`*::
+*`http.response.body.content`*::
 +
 --
 type: keyword
@@ -1996,6 +2009,54 @@ example: 1.1
 Http version.
 
 
+--
+
+*`http.request.bytes`*::
++
+--
+type: long
+
+example: 1437
+
+Total size in bytes of the request (body and headers).
+
+
+--
+
+*`http.request.body.bytes`*::
++
+--
+type: long
+
+example: 887
+
+Size in bytes of the request body.
+
+
+--
+
+*`http.response.bytes`*::
++
+--
+type: long
+
+example: 1437
+
+Total size in bytes of the response (body and headers).
+
+
+--
+
+*`http.response.body.bytes`*::
++
+--
+type: long
+
+example: 887
+
+Size in bytes of the response body.
+
+
 --
 
 [float]