Extra Colon Parsed in JSON for EventID 4697 when downcase_description_keys = false

[BlakeHensleyy]

Here is a sample description for EventID 4697

A service was installed in the system.

Subject:
	Security ID:		SYSTEM
	Account Name:		824ZWL3$
	Account Domain:		WORKGROUP
	Logon ID:		0x3E7

Service Information:
	Service Name: 		WpnUserService_a46b7
	Service File Name:	C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup
	Service Type: 		0xE0
	Service Start Type:	2
	Service Account: 	LocalSystem

Here is a sample of what it looks like with downcase_description_keys = false

{
  "ProviderName": "Microsoft-Windows-Security-Auditing",
  "ProviderGUID": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
  "EventID": "4697",
  "Level": "0",
  "Task": "12289",
  "Opcode": "0",
  "Keywords": "0x8020000000000000",
  "TimeCreated": "2024-11-18T18:18:22.1877179Z",
  "EventRecordID": "37492098",
  "ActivityID": "{d95bbe83-5cf5-44b8-bbd1-9ed12125ae7e}",
  "ProcessID": "728",
  "ThreadID": "7948",
  "Channel": "Security",
  "Computer": "ComputerName",
  "Version": "1",
  "Subject.Security_ID": "S-1-5-21-3432303226-618804411-81073225-3118",
  "Subject.Account_Name": "Username",
  "Subject.Account_Domain": "Domain",
  "Subject.Logon_ID": "0xFB6524B",
  "Service_Information.Service_Name:": "TestService14",
  "Service_Information.Service_File_Name": "C:\\test_service.bat",
  "Service_Information.Service_Type:": "0x10",
  "Service_Information.Service_Start_Type": "2",
  "Service_Information.Service_Account:": "LocalSystem",
}

Here is a sample of what it looks like with downcase_description_keys = true

{
  "ProviderName": "Microsoft-Windows-Security-Auditing",
  "ProviderGUID": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
  "EventID": "4697",
  "Level": "0",
  "Task": "12289",
  "Opcode": "0",
  "Keywords": "0x8020000000000000",
  "TimeCreated": "2024-11-18T18:21:28.8693449Z",
  "EventRecordID": "37492172",
  "ActivityID": "{0cc575d8-4ab3-47d7-a9e7-7b84cba265b2}",
  "ProcessID": "728",
  "ThreadID": "7948",
  "Channel": "Security",
  "Computer": "ComputerName",
  "Version": "1",
  "subject.security_id": "S-1-5-21-3432303226-618804411-81073225-3118",
  "subject.account_name": "Username",
  "subject.account_domain": "Domain",
  "subject.logon_id": "0xFB6524B",
  "service_information.service_name:": "TestService14",
  "service_information.service_file_name": "C:\\test_service.bat",
  "service_information.service_type:": "0x10",
  "service_information.service_start_type": "2",
  "service_information.service_account:": "LocalSystem",
}

For some reason the fields ServiceName, ServiceType, and ServiceAccount all have an extra : at the end of the key name when downcase_description_keys is set to false. This causes issues when the logs are ingested into a SIEM. Does anyone know why this is?