diff --git a/elastic-ebpf/GPL/Events/EbpfEventProto.h b/elastic-ebpf/GPL/Events/EbpfEventProto.h
index 9156b4e..d858832 100644
--- a/elastic-ebpf/GPL/Events/EbpfEventProto.h
+++ b/elastic-ebpf/GPL/Events/EbpfEventProto.h
@@ -241,8 +241,9 @@ struct ebpf_process_exit_event {
     struct ebpf_event_header hdr;
     struct ebpf_pid_info pids;
     struct ebpf_cred_info creds;
-    int32_t exit_code;
+    struct ebpf_tty_dev ctty;
     char comm[TASK_COMM_LEN];
+    int32_t exit_code;
 
     // Variable length fields: pids_ss_cgroup_path
     struct ebpf_varlen_fields_start vl_fields;
diff --git a/elastic-ebpf/GPL/Events/Process/Probe.bpf.c b/elastic-ebpf/GPL/Events/Process/Probe.bpf.c
index 243abc2..00b5cb0 100644
--- a/elastic-ebpf/GPL/Events/Process/Probe.bpf.c
+++ b/elastic-ebpf/GPL/Events/Process/Probe.bpf.c
@@ -70,6 +70,11 @@ int BPF_PROG(sched_process_fork, const struct task_struct *parent, const struct
     size  = ebpf_resolve_pids_ss_cgroup_path_to_string(field->data, child);
     ebpf_vl_field__set_size(&event->vl_fields, field, size);
 
+    // cwd
+    field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_CWD);
+    size  = ebpf_resolve_path_to_string(field->data, &child->fs->pwd, child);
+    ebpf_vl_field__set_size(&event->vl_fields, field, size);
+
     bpf_ringbuf_output(&ringbuf, event, EVENT_SIZE(event), 0);
 
 out:
@@ -201,6 +206,7 @@ static int taskstats_exit__enter(const struct task_struct *task, int group_dead)
     event->exit_code = (exit_code >> 8) & 0xFF;
     ebpf_pid_info__fill(&event->pids, task);
     ebpf_cred_info__fill(&event->creds, task);
+    ebpf_ctty__fill(&event->ctty, task);
     ebpf_comm__fill(event->comm, sizeof(event->comm), task);
 
     // Variable length fields
diff --git a/elastic-ebpf/commit b/elastic-ebpf/commit
index 06e54e6..4d72e6a 100644
--- a/elastic-ebpf/commit
+++ b/elastic-ebpf/commit
@@ -1 +1 @@
-817e105658f032a6e8f5070e9fc852ac98231e2e
+ba15ef679e3bbdc784d18fb2cd42d3687b7f1d83