[Filebeat][httpjson] Fleet health status incorrectly set to DEGRADED for array of strings in response

[brijesh-elastic]

Summary
System tests for the ti_rapid7_threat_command.alert data stream are failing due to incorrect fleet health status reporting. The unit state transitions from HEALTHY to DEGRADED even though data collection is functioning correctly.

Error Message

Unit state changed httpjson-default-httpjson-ti_rapid7_threat_command-07761d2d-8529-4cc4-b201-ca4222460aa6 (HEALTHY->DEGRADED): events must be JSON objects, but got string: skipping

Root Cause
The data stream uses the httpjson input type with chained calls. The first call in the chain returns a response in the format of an array of strings (see config reference).
When processing this response, the code in response.go encounters string elements in the array and:

• Logs a debug message: "events must be JSON objects, but got string: skipping"
• Updates the fleet health status to DEGRADED

Expected Behavior
The fleet health status should not be set to DEGRADED when the response format is valid for the use case (e.g., array of strings for chained calls)

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)