diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 2c433905aeb..93ccd5bf896 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -63,6 +63,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix mapping error when zeek weird logs do not contain IP addresses. {pull}15906[15906]
 - Improve `elasticsearch/audit` fileset to handle timestamps correctly. {pull}15942[15942]
 - Prevent Elasticsearch from spewing log warnings about redundant wildcards when setting up ingest pipelines for the `elasticsearch` module. {issue}15840[15840] {pull}15900[15900]
+- Fix mapping error for cloudtrail additionalEventData field {pull}16088[16088]
 
 *Heartbeat*
 
diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml
index 0c40e0188be..ddfff12c891 100644
--- a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml
@@ -108,8 +108,8 @@ processors:
   - script:
       lang: painless
       source: |
-        if (ctx.json.additionalEventdata != null) {
-          ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventdata.toString();
+        if (ctx.json.additionalEventData != null) {
+          ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventData.toString();
         }
       ignore_failure: true
   - rename:
diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json
index ea7052e9a03..dc6f299be05 100644
--- a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json
+++ b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json
@@ -1,6 +1,7 @@
 [
     {
         "@timestamp": "2014-07-16T15:49:27.000Z",
+        "aws.cloudtrail.additional_eventdata": "{LoginTo=https://console.aws.amazon.com/s3/, MobileVersion=No, MFAUsed=No}",
         "aws.cloudtrail.event_version": "1.05",
         "aws.cloudtrail.response_elements": "{ConsoleLogin=Success}",
         "aws.cloudtrail.user_identity.arn": "arn:aws:iam::111122223333:user/JohnDoe",
@@ -34,6 +35,7 @@
     },
     {
         "@timestamp": "2014-07-08T17:35:27.000Z",
+        "aws.cloudtrail.additional_eventdata": "{LoginTo=https://console.aws.amazon.com/sns, MobileVersion=No, MFAUsed=No}",
         "aws.cloudtrail.error_message": "Failed authentication",
         "aws.cloudtrail.event_version": "1.05",
         "aws.cloudtrail.response_elements": "{ConsoleLogin=Failure}",