[Response Ops] [Alerting] Unflattening summarized alerts (#147890)

Towards https://github.com/elastic/kibana/issues/147379

## Summary

When investigating how to [onboard detection alerts onto framework alert
summaries](https://github.com/elastic/kibana/issues/147379), there were
some discrepancies in the format of the alert documents returned. This
PR fixes the formatting so it matches and there will be no difference in
`context.alerts` when we migrate detection alerts to the framework.


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

x-pack/plugins/rule_registry/server/utils/create_get_summarized_alerts_fn.ts

@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { merge } from 'lodash';
 import type { PublicContract } from '@kbn/utility-types';
 import { ESSearchRequest, ESSearchResponse } from '@kbn/es-types';
 import type { GetSummarizedAlertsFnOpts } from '@kbn/alerting-plugin/server';
@@ -179,12 +180,38 @@ const getLifecycleAlertsByExecutionUuid = async ({
   };
 };
 
+const expandDottedField = (dottedFieldName: string, val: unknown): object => {
+  const parts = dottedFieldName.split('.');
+  if (parts.length === 1) {
+    return { [parts[0]]: val };
+  } else {
+    return { [parts[0]]: expandDottedField(parts.slice(1).join('.'), val) };
+  }
+};
+
+const expandFlattenedAlert = (alert: object) => {
+  return Object.entries(alert).reduce(
+    (acc, [key, val]) => merge(acc, expandDottedField(key, val)),
+    {}
+  );
+};
+
 const getHitsWithCount = <TSearchRequest extends ESSearchRequest>(
   response: ESSearchResponse<AlertDocument, TSearchRequest>
 ) => {
   return {
     count: (response.hits.total as SearchTotalHits).value,
-    data: response.hits.hits.map((r) => r._source),
+    data: response.hits.hits.map((hit) => {
+      const { _id, _index, _source } = hit;
+
+      const rawAlert = {
+        _id,
+        _index,
+        ..._source,
+      };
+
+      return expandFlattenedAlert(rawAlert as object);
+    }),
   };
 };
 

x-pack/test/rule_registry/spaces_only/tests/trial/get_summarized_alerts.ts

@@ -28,6 +28,7 @@ import {
   RuleDataService,
 } from '@kbn/rule-registry-plugin/server';
 import { RuleExecutorOptions } from '@kbn/alerting-plugin/server';
+import { get } from 'lodash';
 import type { FtrProviderContext } from '../../../common/ftr_provider_context';
 import {
   MockRuleParams,
@@ -357,7 +358,7 @@ export default function createGetSummarizedAlertsTest({ getService }: FtrProvide
       expect(summarizedAlertsExcludingId1.new.count).to.eql(1);
       expect(summarizedAlertsExcludingId1.ongoing.count).to.eql(0);
       expect(summarizedAlertsExcludingId1.recovered.count).to.eql(0);
-      expect(summarizedAlertsExcludingId1.new.data[0][ALERT_INSTANCE_ID]).to.eql(id2);
+      expect(get(summarizedAlertsExcludingId1.new.data[0], ALERT_INSTANCE_ID)).to.eql(id2);
 
       const summarizedAlertsExcludingId2 = await getSummarizedAlerts({
         ruleId,
@@ -368,7 +369,7 @@ export default function createGetSummarizedAlertsTest({ getService }: FtrProvide
       expect(summarizedAlertsExcludingId2.new.count).to.eql(1);
       expect(summarizedAlertsExcludingId2.ongoing.count).to.eql(0);
       expect(summarizedAlertsExcludingId2.recovered.count).to.eql(0);
-      expect(summarizedAlertsExcludingId2.new.data[0][ALERT_INSTANCE_ID]).to.eql(id1);
+      expect(get(summarizedAlertsExcludingId2.new.data[0], ALERT_INSTANCE_ID)).to.eql(id1);
     });
   });
 }