diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReader.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReader.java
index 5779924bb27fb..8559ab0703b43 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReader.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReader.java
@@ -193,9 +193,7 @@ private static List<Object> filter(Iterable<?> iterable, CharacterRunAutomaton i
                     continue;
                 }
                 Map<String, Object> filteredValue = filter((Map<String, ?>)value, includeAutomaton, state);
-                if (filteredValue.isEmpty() == false) {
-                    filtered.add(filteredValue);
-                }
+                filtered.add(filteredValue);
             } else if (value instanceof Iterable) {
                 List<Object> filteredValue = filter((Iterable<?>) value, includeAutomaton, initialState);
                 if (filteredValue.isEmpty() == false) {
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReaderTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReaderTests.java
index 4c74e7f5d9059..e71b0e5e8bdc1 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReaderTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReaderTests.java
@@ -716,6 +716,22 @@ public void testSourceFiltering() {
         expected.put("foo", subArray);
 
         assertEquals(expected, filtered);
+
+        // json array objects that have no matching fields should be left empty instead of being removed:
+        // (otherwise nested inner hit source filtering fails with AOOB)
+        map = new HashMap<>();
+        map.put("foo", "value");
+        List<Map<?, ?>> values = new ArrayList<>();
+        values.add(Collections.singletonMap("foo", "1"));
+        values.add(Collections.singletonMap("baz", "2"));
+        map.put("bar", values);
+
+        include = new CharacterRunAutomaton(Automatons.patterns("bar.baz"));
+        filtered = FieldSubsetReader.filter(map, include, 0);
+
+        expected = new HashMap<>();
+        expected.put("bar", Arrays.asList(new HashMap<>(), Collections.singletonMap("baz", "2")));
+        assertEquals(expected, filtered);
     }
 
     /**