Greetings Steve:
/var/ossec/etc/ossec.conf contains what rule files in /var/ossec/rules
are utilized by ossec.
There is a /var/rules/proftpd_rules.xml file which if it does not
contain what you need, you can create custom rules (including
overwriting existing rules) in /var/rules/local_rules.xml
Please note /var/ossec/etc/ossec.conf does need to be updated with
what log files you want monitored.
This is typically towards the end of the file, and you can add entries
such as
<localfile>
<log_format>syslog</log_format>
<location>[full path to xfer log without brackets]</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/proftpd/current</location>
</localfile>
Thank you.
