What triggered application_json.log for "Account Locked"?

I use 13.13.15-ce. I found a log in application_json.log today like this.

"message":"Account Locked: username=root"

Usually This is recorded after the user root has failed login several times and I can expect to see something like below in the same log file or pervious archived log files.

"message":"Failed Login: username=root ip="

But I didn’t find any log relate to the failed login attempts.

There might be someone trying to break into our system but I have no idea how they can immediately lock root user without attempting to login first. I have checked the source code but I didn’t find anyting useful.

If someone has some experience on this I would really appreciate it.