Pattern 5 : FTP Syslog

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_0100110.html

Rule Name	Rule Type	Classification	Common Event
Pattern 5: FTP Syslog	Base Rule	Ops/Information	General FTP Information
FTP Anonymous Login	Sub Rule	Security/Suspicious	Suspicious User Activity
FTP Administrator Login	Sub Rule	Audit/Authentication Success	User Logon
FTP Successful Login	Sub Rule	Audit/Authentication Success	User Logon
FTP Failed Login	Sub Rule	Audit/Authentication Failure	User Logon Failure
FTP Incorrect Login	Sub Rule	Audit/Authentication Failure	Authentication Failure Activity
FTP Transfer Complete	Sub Rule	Audit/Other Audit Success	File Transfer Complete
FTP User Logout	Sub Rule	Audit/Authentication Success	User Logoff
FTP Directory Listing	Sub Rule	Audit/Access Success	Object Read
FTP Connection	Sub Rule	Ops/Network Traffic	Connection Established
FTP File Transfer Requested	Sub Rule	Ops/Information	Transfer Request
FTP User Login	Sub Rule	Audit/Authentication Success	User Logon

Vendor Documentation