Possible lookup injection into Log4j messages.

There is vulnerability find in Fortidevsec tool. We verified with developers, as they are saying there is no possible to inject in logger. Hence they are saying false positive. Is it possible to false positive? what are the things to verify in the code level?