[ResponseOps][Event Log] add rule id in non-nested field in action execution documents

[pmuellr]

The event log documents for action execution include the rule id that caused the action to run, however it's only stored in the kibana.saved_objects field, which is nested. Which makes it hard to search for.

Seems like we should probably store it in a non-nested field as well, probably rule.id.

Here's a failed action execution event log document vvv

```json { "@timestamp": "2024-10-09T12:31:03.969Z", "event": { "provider": "actions", "action": "execute", "kind": "action", "start": "2024-10-09T12:31:03.897Z", "end": "2024-10-09T12:31:03.969Z", "duration": "72000000", "outcome": "failure" }, "kibana": { "alert": { "rule": { "consumer": "stackAlerts", "execution": { "uuid": "f14f50d8-d970-449d-87c3-6541e6a40126" }, "rule_type_id": ".es-query" } }, "saved_objects": [ { "rel": "primary", "type": "action", "id": "maildev-auth", "type_id": ".email", "space_agnostic": true }, { "rel": "primary", "type": "alert", "id": "0ad8f17e-f747-44a9-be35-783c94e184a4", "type_id": ".es-query" } ], "space_ids": [ "default" ], "task": { "scheduled": "2024-10-09T12:31:03.277Z", "schedule_delay": 620000000 }, "action": { "name": "email: maildev auth", "id": "maildev-auth", "type_id": ".email", "execution": { "uuid": "50ffd1f8-1c7b-4b51-a2f4-6a594a4c3eeb", "source": "alert", "usage": { "request_body_bytes": 2471 } } }, "server_uuid": "a73338b8-8d45-4175-b124-fb02daf13423", "version": "9.0.0" }, "user": {}, "message": "action execution failure: .email:maildev-auth: email: maildev auth", "error": { "message": "error sending email: connect ECONNREFUSED 127.0.0.1:1025" }, "ecs": { "version": "1.8.0" } } ```

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)