Format used is [{"Username": "pavel", "Password": "pass"}]. There is an additional "Type": ["AcceptedByServer"] property, used for credentials which the honeypot allowed.
All attempted credentials are first stored in a session. Then, when the session is closed, they are stored in the aggregation under the AID key (the aggregation ID (AID) "src_ip,dst_ip"). The credentials are flushed from the aggregation when the aggregation window expires. They are included in the Attempt.Login event.
With the successful login (event type Intrusion.UserCompromise), only the accepted pair of username/password is sent with that event.