FTP sessions use two channels: control and data. Only one control-channel is used in each session, but several data-channels may be used – one for each data transfer. The AUTH command only secures the control-channel. Data- channels are not secured until PBSZ and PROT commands are issued. These commands tell the server whether or not subsequent data-channels should be secure.
Clients can connect to FTPS servers in unencrypted mode, and then switch to secure mode upon request. To do so, the client issues an AUTH command, upon which the client and the server negotiate a secure connection. After the switch, all FTP commands are encrypted, but importantly, data is not encrypted unless further commands are provided.
Next: FTPS Commands