Updated Falco Alerts (markdown)

Falco-Alerts.md

@@ -67,21 +67,29 @@ For all output channels, you can switch to JSON output either in the configurati
 * `rule`: the rule that resulted in the alert.
 * `priority`: the priority of the rule that generated the alert.
 * `output`: the formatted output string for the alert.
+* `output_fields`: for each templated value in the output expression, the value of that field from the event that triggered the alert.
 
 Here's an example:
 
 ```
-{"output":"16:47:44.080226697: Warning Sensitive file opened for reading by non-trusted program (user=root command=cat /etc/shadow file=/etc/shadow)","priority":"Warning","rule":"read_sensitive_file_untrusted","time":"2016-06-06T23:47:44.080226697Z"}
+{"output":"16:31:56.746609046: Error File below a known binary directory opened for writing (user=root command=touch /bin/hack file=/bin/hack)","priority":"Error","rule":"Write below binary dir","time":"2017-10-09T23:31:56.746609046Z", "output_fields": {"evt.t\
+ime":1507591916746609046,"fd.name":"/bin/hack","proc.cmdline":"touch /bin/hack","user.name":"root"}} 
 ```
 
 Here's the same output, pretty-printed:
 
 ```
 {
-    "output": "16:47:44.080226697: Warning Sensitive file opened for reading by non-trusted program (user=root command=cat /etc/shadow file=/etc/shadow)",
+   "output" : "16:31:56.746609046: Error File below a known binary directory opened for writing (user=root command=touch /bin/hack file=/bin/hack)"
-    "priority": "Warning",
+   "priority" : "Error",
-    "rule": "read_sensitive_file_untrusted",
+   "rule" : "Write below binary dir",
-    "time": "2016-06-06T23:47:44.080226697Z"
+   "time" : "2017-10-09T23:31:56.746609046Z",
+   "output_fields" : {
+      "user.name" : "root",
+      "evt.time" : 1507591916746609046,
+      "fd.name" : "/bin/hack",
+      "proc.cmdline" : "touch /bin/hack"
+   }
 }
 ```