In reality, the risk is minimal IF the internet connection is safe.
Intercepting packets is almost impossible (without being part of the police), therefore even plain text passwords on internet do not present real risks,
IF you connect from a trusted connection, for example your home router used as an WiFi access point, or your smartphone 4G called from "home".
Changes radically IF you use a public WiFi, or company or friend's, in short in all cases where you are not sure that there is not a network card in promiscuous mode or a packet logger or whatever you want.
The "urban legend" tells that it is easy to intercept internet traffic by everyone.
It's simply not true.
So if you have a FTP server on you Android phone, with a strong username and strong password, and the FTP server is not flawed/bugged, you are safe even in plain text
IF
1) your phone and your PC are on yours home wifi network, and you connect the PC's FTP client to the Phone FTP server. It's a common, and safe, scenario.
2) your phone is on 4G ("on internet"), and you connect your PC FTP client (to the phone) from your home (WiFi or LAN) network. If the FTP server does not have holes there is no risk, at most slowdowns if you are targeted for multiple attempts.
4G networks usually have dynamic IPs, so it's not very frequent, but it happens.