Lift Operation not working

[uxie]

Hi Community, I am trying to understand why I cannot get all the fields lifted.

Fluentbit 1.9
PARSER is cri with the standard regex
Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<log>.*)$

Example input line:
2023-04-17T00:54:39.459348277+00:00 stdout F {"package":"com.ana.server.message","level":"WARNING","log":{"assertion-status":"Assertion Falsified","authenticated":false,"client-ip":"10.130.2.121","id":"e1086d14-3b5d-4a27-b7ac-ccf822fb3dac","message":"Message was not processed: Assertion Falsified (600)","node-id":"/GRe5RHaDfwUJU4tc2S6FEF8HgZ8aei4","request-id":"5934272b0a337b17-d812a6456892c6a6","routing-http-status":0.0,"routing-latency":0.0,"service":"oauth [/oauth]","type":"message","service-folder-path":"/oauth","listen-port":"Default HTTPS (9443)"},"time":"2023-04-17T00:54:39.459+0000"}

Notice that the "log" named regular expression group is JSON, but inside it is a key that is named "log" and has JSON values inside it too.
I am trying to lift all the content inside with a log_ prefix and as such have this FILTER configuration

[FILTER]
    Name                nest
    Match               ana_log
    Operation           lift
    Nested_under        log
    Add_prefix          log_

Please note that the tag ana_log is correct, and the output is redirected to elasticsearch poperly. But I see a single tag, namely "log" that shows up (based on the cri regex parsing).

I want to lift all values inside such that all key/values can be seen as individual items in kibana/elastic.

For instance, there should be a field assertion-status, another field authenticated, another field message, etc.

What am I missing?
Appreciate all the help.

[daipom]

Are you asking about fluent-bit?
Then please visit Q&A of fluent-bit.
This is fluentd project.

[uxie]

Thank you. I have posted it to fluent-bit. fluent/fluent-bit#7209