Here’s a Burp trick you might not know, which helped find this instance of command execution and lots of SQL injection in other applications. Despite PortSwigger claiming otherwise, Burp does not parse JSON very well, especially nested JSON parameters and values like you see below.
I even routinely see Burp flat out ignore simple JSON in the body of requests during active scanning.
To combat this, you can set custom injection points. Just send the request you want to scan to Intruder > highlight the areas you want to scan > right-click > actively scan defined insertion points.
Hopefully this will be helpful during application penetration tests, as I run into this issue extremely frequently.