Upgrading Elasticsearch Alert Field

Beginning with CCP 1.7.0, the Elasticsearch metaalert alert nested field has been changed to metron_alert. Due to this change, CCP 1.7.0 and later is unable to use indices containing the alert field.

You must adjust your templates and mappings to reflect the new field name metron_alert, then create new indices with the new template and mapping, and migrate existing data to the new indices.