Most firewalls: TCPTrafficAudit.DestinationPort = 21 (you might want to look for 20, but 21 is telltale)
Proxy servers and application-layer aware firewalls where we know this traffic is FTP: FileTransferTrafficAudit
There's actually a filter included out of the box (IT Operations => FTP Traffic) that you can do a historical search on by clicking Gear > send to nDepth (you might have to expand the time range). It tries to look for all Network Audit Alerts (which would include both of the above) where either the word FTP is included or it's to/from one of those ports, so it should catch most everything.