I guess it really depends what is being FTP'd, and in what ways that person's credentials can be abused. In most schemes, SSL is only used to encrypt the username and password, not the data being transmitted. This is typically sufficient, as the important part is to secure the login credentials and the data does not need to be secured. Other schemes will encrypt the payload as well as the authentication.

Assuming the data itself is not sensitive, there are a few considerations I can think of...

1. Account Compromise. The user's upload account could be compromised. From your post, I assume the user is using FTP to upload some type of file to you. Depending on the server settings, an attacker might be able to gain read/write permission to that folder. Mitigation for this (assuming the user does not need to download anything) would be to make sure that the FTP user has write only access to the specific dedicated folder, and that the folder is set so that no files can be executed in that folder, by anyone, ever. You may also want to turn off read capabilities except for whatever process uses the uploaded file. This can help protect against certain directory transversal attacks (the user uploads a script with the compromised login information, then passes a specially crafted URL to an HTTP server on the same computer that accesses the file, triggering an exploit).

2. Abuse of services. Typically, all FTP accounts correspond to a recognized user of the system. Even if that username has been locked down, it is possible that some services on the system will still accept those credentials when they shouldn't, and it could open an attack vector. (for example, are you sure that those credentials won't work for CPANEL? What about the /~username/ path in Apache? etc.) For that reason, I would suggest checking with the FTP server maker about creating an Alias account, which lets you create a username and password that can be set as aliases for another real user. That way if the logon credentials do fall into the wrong hands, they won't be recognized by the server's user authentication system as a valid account.

__________________
The best way to learn anything, is to question everything.