How to config YMAL to show only alerts with events

I will like to reduce the EVE file size and only have alerts along with their associated events.

I just asked chatgtp and it took me to do the following - Is this correct?

outputs
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      types:
        - alert
        - http
        - tls
        - dns
        - smtp
        - ssh
        - stats
  - alert:
      enabled: yes
      filename: /var/log/suricata/alerts.json
      # Show alerts with events only
      output.alert_with_payload: yes

I’ve never seen an alert output. Also, the colon after outputs is missing.
I’d suggest to rather look at the suricata.yaml file’s outputs.eve-log section (suricata/suricata.yaml.in at master · OISF/suricata · GitHub) manually and disable all subsections beneath types that you do not want. That is, just delete them and their options or comment them out with #.

ChatGPT is known to make up things, such as the nonexistant alert output or the equally fictional alert_with_payload setting.

Also, keep in mind that above setting will output all metadata of the given type, even if there was no alert associated! If you only want metadata when there is an alert, it is better to just add the metadata to the alert itself, using the alert type's metadata` option (suricata/suricata.yaml.in at master · OISF/suricata · GitHub). That is turned on by default IIRC. That will give you the original metadata inside the alert.