Rebased with master to add Threat fields

docs/field-details.asciidoc

@@ -3046,6 +3046,8 @@ NOTE: The `os` fields should *not* be used directly as top-level fields.
 
 These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location.
 
+
+
 ==== Package Field Details
 
 [options="header"]
@@ -3168,6 +3170,12 @@ example: `1.12.9`
 
 |=====
 
+[[ecs-package-reuse]]
+==== Field Reuse
+
+These fields are never nested under or a parent of other field sets.
+
+
 [[ecs-process]]
 === Process Fields
 
@@ -3890,14 +3898,16 @@ The `source` field can be a parent of:
 
 
 |=====
-
+NOTE: The `source` fields *cannot* be nested under other field sets.
 [[ecs-threat]]
 === Threat Fields
 
 Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework.
 
 These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a  common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat  (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by  this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
 
+
+
 ==== Threat Field Details
 
 [options="header"]
@@ -3985,6 +3995,12 @@ example: `https://attack.mitre.org/techniques/T1499/`
 
 |=====
 
+[[ecs-threat-reuse]]
+==== Field Reuse
+
+These fields are never nested under or a parent of other field sets.
+
+
 [[ecs-tracing]]
 === Tracing Fields