diff --git a/scripts/base/protocols/ftp/main.zeek b/scripts/base/protocols/ftp/main.zeek
index e33fc07891..aa431f5334 100644
--- a/scripts/base/protocols/ftp/main.zeek
+++ b/scripts/base/protocols/ftp/main.zeek
@@ -169,9 +169,15 @@ function set_ftp_session(c: connection)
 		}
 	}
 
+function should_hide_password(s: Info) : bool
+	{
+	return ! s$capture_password && to_lower(s$user) !in guest_ids;
+	}
+
 function ftp_message(c: connection)
 	{
 	if ( ! c?$ftp ) return;
+	local password_hidden_string = "<hidden>";
 	local s: Info = c$ftp;
 	s$ts=s$cmdarg$ts;
 	s$command=s$cmdarg$cmd;
@@ -193,16 +199,15 @@ function ftp_message(c: connection)
 		s$reply_msg = s$reply_msg[:max_reply_msg_length];
 		}
 
+	# In case of logging PASS command, the password will appear in arg column and might need hiding
+	if ( s$command == "PASS" && should_hide_password(s))
+		s$arg = password_hidden_string;
 
 	if ( s$arg == "" )
 		delete s$arg;
 
-	if ( s?$password &&
-	     ! s$capture_password &&
-	     to_lower(s$user) !in guest_ids )
-		{
-		s$password = "<hidden>";
-		}
+	if ( s?$password && should_hide_password(s))
+		s$password = password_hidden_string;
 
 	if ( s?$cmdarg && s$command in logged_commands)
 		Log::write(FTP::LOG, s);
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/ftp.log
index cd149015f5..a370a9ee79 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/ftp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/ftp.log
@@ -8,6 +8,6 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	password	command	arg	mime_type	file_size	reply_code	reply_msg	data_channel.passive	data_channel.orig_h	data_channel.resp_h	data_channel.resp_p	fuid
 #types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	string	bool	addr	addr	port	string
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51354	127.0.0.1	21	zeek	-	USER	zeek	-	-	230	USER OK	-	-	-	-	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51354	127.0.0.1	21	zeek	<hidden>	PASS	zeek	-	-	230	PASS OK	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51354	127.0.0.1	21	zeek	<hidden>	PASS	<hidden>	-	-	230	PASS OK	-	-	-	-	-
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51354	127.0.0.1	21	zeek	<hidden>	PASV	-	-	-	230	PASS OK	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/ftp.log
index f14e2c92ab..5e1726d0e9 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/ftp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/ftp.log
@@ -8,6 +8,6 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	password	command	arg	mime_type	file_size	reply_code	reply_msg	data_channel.passive	data_channel.orig_h	data_channel.resp_h	data_channel.resp_p	fuid
 #types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	string	bool	addr	addr	port	string
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51344	127.0.0.1	21	zeek	-	USER	zeek	-	-	230	USER OK	-	-	-	-	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51344	127.0.0.1	21	zeek	<hidden>	PASS	zeek	-	-	230	PASS OK	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51344	127.0.0.1	21	zeek	<hidden>	PASS	<hidden>	-	-	230	PASS OK	-	-	-	-	-
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51344	127.0.0.1	21	zeek	<hidden>	SYST	-	-	-	230	PASS OK	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/ftp.log
index bcc46520f9..502b5f6f7d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/ftp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/ftp.log
@@ -8,6 +8,6 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	password	command	arg	mime_type	file_size	reply_code	reply_msg	data_channel.passive	data_channel.orig_h	data_channel.resp_h	data_channel.resp_p	fuid
 #types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	string	bool	addr	addr	port	string
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51346	127.0.0.1	21	zeek	-	USER	zeek	-	-	230	USER OK	-	-	-	-	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51346	127.0.0.1	21	zeek	<hidden>	PASS	zeek	-	-	230	PASS OK	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51346	127.0.0.1	21	zeek	<hidden>	PASS	<hidden>	-	-	230	PASS OK	-	-	-	-	-
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51346	127.0.0.1	21	zeek	<hidden>	RETR	ftp://127.0.0.1/.	-	-	230	PASS OK	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command-hidden/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command-hidden/conn.log
new file mode 100644
index 0000000000..f0c6f721ca
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command-hidden/conn.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.10.132	46648	192.168.10.188	21	tcp	ftp	15.009303	25	134	SF	T	T	0	ShAdDaFf	7	325	8	466	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command-hidden/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command-hidden/ftp.log
new file mode 100644
index 0000000000..6823c1d9f3
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command-hidden/ftp.log
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ftp
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	password	command	arg	mime_type	file_size	reply_code	reply_msg	data_channel.passive	data_channel.orig_h	data_channel.resp_h	data_channel.resp_p	fuid
+#types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	string	bool	addr	addr	port	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.10.132	46648	192.168.10.188	21	Admin	-	USER	Admin	-	-	331	Please, specify the password.	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.10.132	46648	192.168.10.188	21	Admin	<hidden>	PASS	<hidden>	-	-	530	Login incorrect.	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command/conn.log
new file mode 100644
index 0000000000..f0c6f721ca
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command/conn.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.10.132	46648	192.168.10.188	21	tcp	ftp	15.009303	25	134	SF	T	T	0	ShAdDaFf	7	325	8	466	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command/ftp.log
new file mode 100644
index 0000000000..45e34b4b80
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-password-pass-command/ftp.log
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ftp
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	password	command	arg	mime_type	file_size	reply_code	reply_msg	data_channel.passive	data_channel.orig_h	data_channel.resp_h	data_channel.resp_p	fuid
+#types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	string	bool	addr	addr	port	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.10.132	46648	192.168.10.188	21	Admin	-	USER	Admin	-	-	331	Please, specify the password.	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.10.132	46648	192.168.10.188	21	Admin	qwerty	PASS	qwerty	-	-	530	Login incorrect.	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/ftp/ftp-password-pass-command.pcap b/testing/btest/Traces/ftp/ftp-password-pass-command.pcap
new file mode 100644
index 0000000000..a199469b05
Binary files /dev/null and b/testing/btest/Traces/ftp/ftp-password-pass-command.pcap differ
diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-password-pass-command-hidden.zeek b/testing/btest/scripts/base/protocols/ftp/ftp-password-pass-command-hidden.zeek
new file mode 100644
index 0000000000..252c58f877
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-password-pass-command-hidden.zeek
@@ -0,0 +1,12 @@
+# @TEST-DOC: Adding PASS to logged commands should hide the password in password and arg column
+# @TEST-EXEC: zeek -b -Cr $TRACES/ftp/ftp-password-pass-command.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ftp.log
+# @TEST-EXEC: test ! -f reporter.log
+
+@load base/protocols/conn
+@load base/protocols/ftp
+
+redef FTP::logged_commands += { "USER", "PASS", "SYST", "QUIT" };
+
+redef FTP::default_capture_password = F;
\ No newline at end of file
diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-password-pass-command.zeek b/testing/btest/scripts/base/protocols/ftp/ftp-password-pass-command.zeek
new file mode 100644
index 0000000000..4555c36ce6
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-password-pass-command.zeek
@@ -0,0 +1,12 @@
+# @TEST-DOC: Adding PASS to logged commands should log the password in password and arg column
+# @TEST-EXEC: zeek -b -Cr $TRACES/ftp/ftp-password-pass-command.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ftp.log
+# @TEST-EXEC: test ! -f reporter.log
+
+@load base/protocols/conn
+@load base/protocols/ftp
+
+redef FTP::logged_commands += { "USER", "PASS", "SYST", "QUIT" };
+
+redef FTP::default_capture_password = T;
\ No newline at end of file