Add support for parent event field access during iterate_on processing in add_entries processor

[yavmanis]

Description

This PR addresses two limitations in the add_entries processor when using iterate_on:

Problem 1: No root-level field access during array iteration
When iterate_on is configured, value_expression and format resolve against the individual array element context. There is no way to reference root-level fields from the event, so expressions like /alert_title return null if alert_title exists only at the root.

Problem 2: add_to_element_when evaluates against root event
The add_to_element_when condition is evaluated against the root event, not the individual array element. This makes per-element conditional logic impossible — e.g., you cannot add a key only to elements where severity == "critical".

Solution

Fix 1: disable_root_keys (default: true)
When set to false with iterate_on, resolves value_expression and format against the root event instead of the array element. This allows injecting root-level fields into each element during iteration.

Fix 2: evaluate_when_on_element (default: false)
When set to true with iterate_on and add_to_element_when, evaluates the add_to_element_when condition against each individual array element instead of the root event.

Example

Input:

{
  "alert_title": "SQL Injection Detected",
  "vulns": [
    {"cve": "CVE-2024-001", "severity": "critical"},
    {"cve": "CVE-2024-002", "severity": "low"},
    {"cve": "CVE-2024-003", "severity": "critical"}
  ]
}

Config:

processor:
  - add_entries:
      entries:
        - key: "title"
          value_expression: "/alert_title"
          iterate_on: "vulns"
          disable_root_keys: false
          add_to_element_when: '/severity == "critical"'
          evaluate_when_on_element: true

Output:

{
  "alert_title": "SQL Injection Detected",
  "vulns": [
    {"cve": "CVE-2024-001", "severity": "critical", "title": "SQL Injection Detected"},
    {"cve": "CVE-2024-002", "severity": "low"},
    {"cve": "CVE-2024-003", "severity": "critical", "title": "SQL Injection Detected"}
  ]
}

Backward Compatibility

Both flags default to values that preserve existing behavior. No existing constructors, tests, or functionality are modified.
Default values for the flags:

disable_root_keys: true
evaluate_when_on_element: false

Issues Resolved

Resolves #6609

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.