diff --git a/decoder.xml b/decoder.xml
index 6757cd0..81a4308 100644
--- a/decoder.xml
+++ b/decoder.xml
@@ -27,13 +27,13 @@
 <decoder name="cgfw-firewall-activity-fields">
   <parent>cgfw-firewall-activity</parent>
   <regex type="pcre2">srcIP=([\d\.]+)</regex>
-  <order>SourceIP</order>
+  <order>srcip</order>
 </decoder>
 
 <decoder name="cgfw-firewall-activity-fields">
   <parent>cgfw-firewall-activity</parent>
   <regex type="pcre2">srcPort=([\d\s]+)</regex>
-  <order>SourcePort</order>
+  <order>srcport</order>
 </decoder>
 
 <decoder name="cgfw-firewall-activity-fields">
@@ -45,13 +45,13 @@
 <decoder name="cgfw-firewall-activity-fields">
   <parent>cgfw-firewall-activity</parent>
   <regex type="pcre2">dstIP=([\d\.]+)</regex>
-  <order>DestinationIP</order>
+  <order>dstip</order>
 </decoder>
 
 <decoder name="cgfw-firewall-activity-fields">
   <parent>cgfw-firewall-activity</parent>
   <regex type="pcre2">dstPort=([\w\s]+)</regex>
-  <order>DestinationPort</order>
+  <order>dstport</order>
 </decoder>
 
 <decoder name="cgfw-firewall-activity-fields">