When the ledger does a transaction where change is involved it generates a new address for the change each time. This is to obfuscate the transactions as much as possible.

You can verify you own the change address by downloading https://iancoleman.github.io/bip39/ (preferably to an air gapped computer) and then while offline input your ledger seed and passphrase if used.

Then under 'Derivation Path' select BIP44 you can find your path in the Chrome app by clicking on the account then selecting ACCOUNT SETTINGS, under ADVANCED you will see the 'Root Path' mine was 44'/0'/0'. This will show you all the derived addresses that you may have used for receiving.
To look at the change addresses try adding a 1 in the External/Internal field. If the address it is trying to send output #2 is listed there then you are good to go knowing those funds are going back to your device.