`user.group` should not be a keyword field, but a place where we can nest the `group` field set

[webmat]

The current definition of the field user.group is problematic, in that it's a place to put a textual group name. This doesn't leave room for other bits of metadata related to a group (the most obvious one being group.id).

The user.group field actually goes against our principle of not reusing the name of a field set (group) as a field with a different meaning (user.group being a string, rather than the nested field set).

This issue came up while working on the right way to represent the various users/groups that went into determining effective rights: elastic/beats#10192, elastic/beats#9963 and elastic/beats#10111.

I would like to suggest we make this change for ECS 1.0.0 GA.

Discuss ;-)

cc @ruflin @MikePaquette @cwurm @andrewkroh

[willemdh]

Seems perfectly reasonable to make group a reusable object so it can be nested under user.*

user.group.name
user.group.id

[ruflin]

I like the suggestion. The problem I see is that we can't really make this change now expect we treat it as a bug.