This is because FTP doesn't use one port.
Port 21 is used for the control channel. In addition, one or more ephemeral ports is used for data, e.g. actual file transfer.
Originally the data channel direction was from server to client. The client requested a file over the control channel, and told the server to which port at the clients IP to send the data.
This broke when NAT became the norm; the client was no longer able to listen to a ephemeral port. In came Passive Mode. The server now listens to an arbitrary port, and tells the client which port it should connect to for getting the data.
While you can make this work through a firewall, there's few reasons to bother these days. It doesn't support encryption, and client support for ftp is dropping. Major browsers have dropped support for it.
Move to a more modern protocol, such as HTTPS+WebDAV or sftp. FTP is simply not suited for the Internet we have today. More modern protocols have sane security, and combines control and command channel, so you don't have to fall back to multiple connections per session.
The first FTP standard is from before the last time mankind walked on the moon. It's ancient. While updated since then, it's about time we retire it.
