Missing matching key path for is_xss

[Julio-Guerra]

We've noticed the matching key path is not returned by is_xss.
For example, if you give the WAF this input:

{
    "server.request.query": { "key": [ "<script>alert()</script>", "value2" ] }
}

It doesn't return the key path [ "key", 0 ] in the returned JSON blob.
See https://datadoghq.atlassian.net/browse/APPSEC-1913 for more details and context.

[Julio-Guerra]

Not a bug in the end, the returned key_path is correct and it's just a mismatch with the security event v1 in Go's end.