Sumo collector json mask rule syntax for json log message field names wacky escaping required, eg: {"username":"name to redact"}

sumo-app.json

{
  "api.version":"v1",
  "sources":[
    {
      "name": "app.log",
      "description": "app.log json",
      "category": "product/app",
      "timezone": "UTC",
      "sourceType": "LocalFile",
      "forceTimeZone": true,
      "pathExpression": "/var/log/app.log",
      "filters":[{
        "filterType":"Mask",
        "name":"userName",
        "regexp":"\\\\\"userName\\\\\":\\\\\"([^\\\\\"]+)\\\\\",",
        "mask":"USERNAME_MASK"
      },{
        "filterType":"Mask",
        "name":"email",
        "regexp":"\\\\\"email\\\\\":\\\\\"([^\\\\\"]+)\\\\\",",
        "mask":"EMAIL_MASK"
      },{
        "filterType":"Mask",
        "name":"firstname",
        "regexp":"\\\\\"firstName\\\\\":\\\\\"([^\\\\\"]+)\\\\\",",
        "mask":"FIRSTNAME_MASK"
      },{
        "filterType":"Mask",
        "name":"lastname",
        "regexp":"\\\\\"lastName\\\\\":\\\\\"([^\\\\\"]+)\\\\\",",
        "mask":"LASTNAME_MASK"
      },{
        "filterType":"Mask",
        "name":"phone",
        "regexp":"\\\\\"phone\\\\\":\\\\\"([^\\\\\"]+)\\\\\",",
        "mask":"PHONE_MASK"
      }]
    }
  ]
}

Neither doc page, from the UI or the json config rules page allude to the level of escaping required, so maybe this will save someone a bit of time.
I ended up crafting the regex using the sumo admin UI, with the collector in "cloud mode", then using the (i) info button to dump the json and scraping that into the collector json, then flipping the collector back to "local mode" so that it picked up the local json instead of the cloud cfg.