You are close with your message template.
The document can be extracted using the mustache array syntax.
{{#ctx.alerts}}
{{#sample_documents}}
{{/sample_documents}}
{{/ctx.alerts}}
However, there is an issue: mustache indexes don’t work.
{{^-last}}, {{/-last}}
If this worked, it would say only to put a comma if this is not the last iteration.
Because your alert will have multiple documents, you need a comma between them. Which means the results are not valid for JSON. I have my webhook sent as text/html and then run regular expression at the other end to remove any stray commas to make the string valid JSON
{
"alerts": {
"triggerId": "{{ctx.trigger.id}}",
"triggerName": "{{ctx.trigger. name}}",
"lastUpdate": "{{ctx.last_update_time}}",
"periodStart": "{{ctx.periodStart}}",
"periodEnd": "{{ctx.periodEnd}}",
"documents": [
{{#ctx.alerts}}
{{#sample_documents}}
{
"index": "{{_index}}",
"documentId": "{{_id}}",
"timestamp": "{{_source.@timestamp}}",
"event": {
"nodeId": "{{_source.event.nodeId}}",
"filespace": "{{_source.event.filespace}}",
"filespaceUuid": "{{_source.event.filespaceUuid}}"
}
},
{{/sample_documents}}
{{/ctx.alerts}}
]}
}