There are program utilities called packet sniffers that capture TCP and UDP traffic leaving and entering a computer. Once you see a result, you understand that FTP and HTTP data exchange is absolutely not secure.
Here is an example, I have opened DOS FTP window and connected to the Microsoft FTP service while have EtherDetect packet sniffer running:
220 Microsoft FTP Service
USER anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
PASS user@hotmail.com
230-Welcome to ftp.microsoft.com. Please also visit
http://www.microsoft.com/downloads.
230 Anonymous user logged in.
PORT 192,168,1,103,19,137
200 PORT command successful.
LIST
150 Opening ASCII mode data connection for /bin/ls.
dr-xr-xr-x 1 owner group 0 Nov 25 2002 bussys
dr-xr-xr-x 1 owner group 0 May 21 2001 deskapps
dr-xr-xr-x 1 owner group 0 Apr 20 2001 developr
dr-xr-xr-x 1 owner group 0 Nov 18 2002 KBHelp
dr-xr-xr-x 1 owner group 0 Jul 2 2002 MISC
dr-xr-xr-x 1 owner group 0 Dec 16 2002 MISC1
dr-xr-xr-x 1 owner group 0 Feb 25 2000 peropsys
dr-xr-xr-x 1 owner group 0 Jan 2 2001 Products
dr-xr-xr-x 1 owner group 0 Apr 4 2003 PSS
dr-xr-xr-x 1 owner group 0 Sep 21 2000 ResKit
dr-xr-xr-x 1 owner group 0 Feb 25 2000 Services
dr-xr-xr-x 1 owner group 0 Feb 25 2000 Softlib
226 Transfer complete.
QUIT
221 Thank you for visiting ftp.microsoft.com.
As you can see, everything is transferred openly.