From 9a5df4f431a59c24436746a74c9e2eb8b6f5d2bd Mon Sep 17 00:00:00 2001
From: Xavier Mouligneau <189600+XavierM@users.noreply.github.com>
Date: Thu, 4 Mar 2021 20:43:50 -0500
Subject: [PATCH] add nested field inside of dataprovider

---
 .../timelines/components/timeline/helpers.tsx | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.tsx
index 4b960effb877e..ed6582d81f140 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.tsx
@@ -64,6 +64,35 @@ const checkIfFieldTypeIsDate = (field: string, browserFields: BrowserFields) =>
   return false;
 };
 
+const convertNestedFieldToQuery = (
+  field: string,
+  value: string | number,
+  browserFields: BrowserFields
+) => {
+  const pathBrowserField = getBrowserFieldPath(field, browserFields);
+  const browserField = get(pathBrowserField, browserFields);
+  const nestedPath = browserField.subType.nested.path;
+  const key = field.replace(`${nestedPath}.`, '');
+  return `${nestedPath}: { ${key}: ${value} }`;
+};
+
+const convertNestedFieldToExistQuery = (field: string, browserFields: BrowserFields) => {
+  const pathBrowserField = getBrowserFieldPath(field, browserFields);
+  const browserField = get(pathBrowserField, browserFields);
+  const nestedPath = browserField.subType.nested.path;
+  const key = field.replace(`${nestedPath}.`, '');
+  return `${nestedPath}: { ${key}: * }`;
+};
+
+const checkIfFieldTypeIsNested = (field: string, browserFields: BrowserFields) => {
+  const pathBrowserField = getBrowserFieldPath(field, browserFields);
+  const browserField = get(pathBrowserField, browserFields);
+  if (browserField != null && browserField.subType) {
+    return true;
+  }
+  return false;
+};
+
 const buildQueryMatch = (
   dataProvider: DataProvider | DataProvidersAnd,
   browserFields: BrowserFields
@@ -73,11 +102,19 @@ const buildQueryMatch = (
     dataProvider.type !== DataProviderType.template
       ? checkIfFieldTypeIsDate(dataProvider.queryMatch.field, browserFields)
         ? convertDateFieldToQuery(dataProvider.queryMatch.field, dataProvider.queryMatch.value)
+        : checkIfFieldTypeIsNested(dataProvider.queryMatch.field, browserFields)
+        ? convertNestedFieldToQuery(
+            dataProvider.queryMatch.field,
+            dataProvider.queryMatch.value,
+            browserFields
+          )
         : `${dataProvider.queryMatch.field} : ${
             isNumber(dataProvider.queryMatch.value)
               ? dataProvider.queryMatch.value
               : escapeQueryValue(dataProvider.queryMatch.value)
           }`
+      : checkIfFieldTypeIsNested(dataProvider.queryMatch.field, browserFields)
+      ? convertNestedFieldExistToQuery(dataProvider.queryMatch.field, browserFields)
       : `${dataProvider.queryMatch.field} ${EXISTS_OPERATOR}`
   }`.trim();