With the following rules inside the nftables input chaing:
tcp dport 21 ct state established,new counter accept
tcp dport 20 ct state established,related counter accept
tcp dport 1024-65535 ct state established,related counter accept
The pasive FTP connections can login but the data connection can't be established.
In recent kernels (>4.7) it's necessary to load the following module:
And enable the helper: