Wrong. In order for a password to be sent to the server it has to be decrypted in memory on that machine first. FTP over TLS/SSL only protects against man-in-the-middle-attacks, it provides no endpoint protection. Malware on a machine is able to do anything the user account it runs under is. FileZilla runs under your user account. As soon as the passwords are entered or decrypted the malware grabs them from memory. Easy as pie.
Any system that has or had a malware on it must be regarded as being compromised!
Any system that has or had a malware on it must be regarded as being compromised!