Nearly everything in that NAT rule set you posted is disabled. Once you take out the disabled lines, only the below is left:
/ ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.0.6 to-ports=20-21 \
dst-address=18.104.22.168 dst-port=20-21 protocol=tcp \
add chain=srcnat action=src-nat to-addresses=22.214.171.124 to-ports=0-65535 \
out-interface=voip src-address=192.168.0.0/24 comment="LAN via MCI via IP \
Address 126.96.36.199. Do not change. Used for VPN Traffic" disabled=no
That's correct (though the comment on the srcnat chain is wildly inaccurate), but you're filtering the port. You are accepting ports 20/21 in the input chain (though the comment is incorrect, you're not just accepting from trusted sources, you're accepting from everywhere):
add chain=input action=accept dst-port=20-21 protocol=tcp comment="ftp access \
to router from trusted sources" disabled=no
But the traffic won't be in the input chain. dstnat happens before input/output/forward, and because the destination IP address after dstnat is no longer local the packets will be in the forward chain. The only reference to ports 20/21 in the forward chain are in the chain 'tcp-services':
add chain=tcp-services action=accept src-port=0-65535 dst-port=20-21 \
protocol=tcp comment="ftp" disabled=no
and while they are accepted there (though it doesn't make sense to check for a source port if you're going to permit every possible source port, that's just eating resources for a check that will always succeed) you're only jumping to 'tcp-services' with a condition of 'in-interface=lan', which isn't true for the Internet accessing the FTP server.
add chain=forward action=jump jump-target=tcp-services in-interface=lan \
protocol=tcp comment="allow all outgoing from LAN tcp services" \
Since you do have a default drop in the forward chain FTP traffic to the FTP server will be dropped since it isn't accepted first:
add chain=forward action=log log-prefix="FDROP" comment="log drop everything \
add chain=forward action=drop comment="drop everything else" disabled=yes
And that log message before the drop matches what you've been posting.
Caveat on all of the above: that's one hell of a ruleset, most of it isn't even in use as it's marked disabled and it could be summarized quite a lot (why do you have 20 rules for NAT exemption for VPN when you could just build address lists and refer to them in on quick rule?) - at a quick glance it's rather confusing and I don't want to spend an hour going through it, so I'm not 100% sure that the above is correct. You should really look at simplifying your configuration.