From 587e69493b6778ec5425d9c387b53665893a6303 Mon Sep 17 00:00:00 2001
From: shubhamraj-git <shubhamraj.osc@gmail.com>
Date: Mon, 1 Jun 2026 11:37:58 +0000
Subject: [PATCH] fix the ftp tls

---
 providers/ftp/src/airflow/providers/ftp/hooks/ftp.py | 2 ++
 providers/ftp/tests/unit/ftp/hooks/test_ftp.py       | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/providers/ftp/src/airflow/providers/ftp/hooks/ftp.py b/providers/ftp/src/airflow/providers/ftp/hooks/ftp.py
index 808ed49ac69aa..922f22637f570 100644
--- a/providers/ftp/src/airflow/providers/ftp/hooks/ftp.py
+++ b/providers/ftp/src/airflow/providers/ftp/hooks/ftp.py
@@ -313,5 +313,7 @@ def get_conn(self) -> ftplib.FTP:
             else:
                 self.conn = ftplib.FTP_TLS(params.host, params.login, params.password, context=context)  # nosec: B321
             self.conn.set_pasv(pasv)
+            # Without prot_p() ftplib transfers file payloads over cleartext sockets even though the control connection is TLS.
+            self.conn.prot_p()
 
         return self.conn
diff --git a/providers/ftp/tests/unit/ftp/hooks/test_ftp.py b/providers/ftp/tests/unit/ftp/hooks/test_ftp.py
index 9e4d8ed9f830b..0a0fcee183be8 100644
--- a/providers/ftp/tests/unit/ftp/hooks/test_ftp.py
+++ b/providers/ftp/tests/unit/ftp/hooks/test_ftp.py
@@ -249,3 +249,11 @@ def test_ftps_encoding_extra(self, mock_ftp_tls):
         hook = FTPSHook("ftp_encoding")
         hook.get_conn()
         assert any(call.kwargs.get("encoding") == "cp1251" for call in mock_ftp_tls.mock_calls)
+
+    @mock.patch("ftplib.FTP_TLS")
+    def test_ftps_enables_protected_data_channel(self, mock_ftp_tls):
+        from airflow.providers.ftp.hooks.ftp import FTPSHook
+
+        hook = FTPSHook("ftp_passive")
+        conn = hook.get_conn()
+        conn.prot_p.assert_called_once_with()