I have made a test based on the screenshots you shared and in my case it is working correctly.
In a windows agent I monitor the json file:
<localfile>
<location>C:\Users\54358\Desktop\test-json.json</location>
<log_format>json</log_format>
</localfile>
In the manager I have created a test rule that checks rule.group and rule.level:
<group name="test">
<rule id="100002" level="5">
<field name="rule.groups">downloads</field>
<field name="rule.level">5</field>
<description>Test rule - $(path)</description>
</rule>
</group>
Restart agent and manager
In the monitored file C:\Users\54358\Desktop\test-json.json I paste the test json you shared in the image (a little reduced to make the test easier).
{"dhost": "dhost", "duser": "duser", "guid": "guid", "description": "Google Chrome download", "path": "C:\\Users\\user\\Downloads\\VSCodeUserSetup-x64-1.89.1.exe", "rule": {"level": 5, "groups": "downloads"}, "time": "2024-05-16T14:16:33.867282Z", "mime_type": "application/x-msdownload", "referrer": "any-url", "download_chain": ["download_chain"]}
And I see that in the alerts.json the alert is being generated correctly:
{"timestamp":"2024-05-23T14:33:05.233+0000","rule":{"level":5,"description":"Test rule - C:\\Users\\user\\Downloads\\VSCodeUserSetup-x64-1.89.1.exe","id":"100002","firedtimes":4,"mail":false,"groups":["test"]},"agent":{"id":"001","name":"LAPTOP-SI21F60O","ip":"192.168.0.4"},"manager":{"name":"vagrant"},"id":"1716474785.93524","full_log":"{\"dhost\":\"dhost\",\"duser\":\"duser\",\"guid\":\"guid\",\"description\":\"Google Chrome download\",\"path\":\"C:\\\\Users\\\\user\\\\Downloads\\\\VSCodeUserSetup-x64-1.89.1.exe\",\"rule\":{\"level\":5,\"groups\":\"downloads\"},\"time\":\"2024-05-16T14:16:33.867282Z\",\"mime_type\":\"application/x-msdownload\",\"referrer\":\"any-url\",\"download_chain\":[\"download_chain\"]}","decoder":{"name":"json"},"data":{"dhost":"dhost","duser":"duser","guid":"guid","description":"Google Chrome download","path":"C:\\Users\\user\\Downloads\\VSCodeUserSetup-x64-1.89.1.exe","rule":{"level":"5","groups":"downloads"},"time":"2024-05-16T14:16:33.867282Z","mime_type":"application/x-msdownload","referrer":"any-url","download_chain":["download_chain"]},"location":"C:\\Users\\54358\\Desktop\\test-json.json"}
Could you share your file configuration in the agent and the rule you are using?