This is an old technique to perform port scanning in a stealthy way. The vulnerability lies in the PORT command used by FTP to transfer data in the ACTIVE mode.

Using this technique, an attacker can instruct the FTP server to open a connection to a particular port of a machine that might not be the originating client. Such a situation may allow an attacker to perform a port scan on a target by hiding his own identity. Nmap has an option –b to perform this type of scan. However, most of the FTP servers out there are aware about this attack and are configured accordingly to block such a scan and hence prevent an FTP bounce attack.

In a rare case, if you doubt that someone is trying to perform such an attack on the network, then you may want to use the following filters:

ftp.request.command == "PORT"
ftp.response.code == 226 || ftp.response.code == 426...