diff --git a/packages/proofpoint_on_demand/changelog.yml b/packages/proofpoint_on_demand/changelog.yml
index a472f3c541c..aa9b4768eaf 100644
--- a/packages/proofpoint_on_demand/changelog.yml
+++ b/packages/proofpoint_on_demand/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.1.1"
+  changes:
+    - description: Fix definition of subfields of nested objects
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11031
 - version: "0.1.0"
   changes:
     - description: Initial release.
diff --git a/packages/proofpoint_on_demand/data_stream/audit/fields/fields.yml b/packages/proofpoint_on_demand/data_stream/audit/fields/fields.yml
index 5a47c94651a..1f504a91a7a 100644
--- a/packages/proofpoint_on_demand/data_stream/audit/fields/fields.yml
+++ b/packages/proofpoint_on_demand/data_stream/audit/fields/fields.yml
@@ -74,13 +74,12 @@
               description: The IP address of the service.
         - name: tags
           type: nested
-          fields:
-            - name: name
-              type: keyword
-              description: Tag name for the particular instance of event.
-            - name: value
-              type: keyword
-              description: The value associated with the tag name.
+        - name: tags.name
+          type: keyword
+          description: Tag name for the particular instance of event.
+        - name: tags.value
+          type: keyword
+          description: The value associated with the tag name.
         - name: ts
           type: date
           description: Timestamp of when the event to be audited occurred.
diff --git a/packages/proofpoint_on_demand/docs/README.md b/packages/proofpoint_on_demand/docs/README.md
index d8b2cf979a9..2c995f1d3fb 100644
--- a/packages/proofpoint_on_demand/docs/README.md
+++ b/packages/proofpoint_on_demand/docs/README.md
@@ -226,6 +226,7 @@ An example event for `audit` looks as following:
 | proofpoint_on_demand.audit.service.customer_id | The customer id of the service. | keyword |
 | proofpoint_on_demand.audit.service.id | The IDM service id. | keyword |
 | proofpoint_on_demand.audit.service.ip_address | The IP address of the service. | ip |
+| proofpoint_on_demand.audit.tags |  | nested |
 | proofpoint_on_demand.audit.tags.name | Tag name for the particular instance of event. | keyword |
 | proofpoint_on_demand.audit.tags.value | The value associated with the tag name. | keyword |
 | proofpoint_on_demand.audit.ts | Timestamp of when the event to be audited occurred. | date |
diff --git a/packages/proofpoint_on_demand/manifest.yml b/packages/proofpoint_on_demand/manifest.yml
index 004ba8d3693..70de2ae690d 100644
--- a/packages/proofpoint_on_demand/manifest.yml
+++ b/packages/proofpoint_on_demand/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.1.4
 name: proofpoint_on_demand
 title: Proofpoint On Demand
-version: 0.1.0
+version: 0.1.1
 description: Collect logs from Proofpoint On Demand with Elastic Agent.
 type: integration
 categories: