Dear,
FTP was created solely for the purpose of transferring files, the great advantage of this protocol over HTTP is the possibility of "double-handed" transfer without the need for development, in a native way, if you are in doubt regarding the 2 I believe that your need is to provide the files and your customers will only download without any upload.
In terms of security, the two are similar, for example, in relation to attacks of the type man-in-the-Middle the 2 will have similar performance, since the transfer is basically in plain text (without encryption) in both cases and can be easily intercepted, which can be bypassed with sftp(ssh) as mentioned by @Miguel or with FTPS(SSL) .
I believe that in 99% of the cases what dictates the technology to be used is the ultimate need, so:
If you only need to send files, and these files are not sensitive (not confidential) I would definitely choose HTTP for the reason you specified, there are no firewall problems of the clients.
If your data is confidential you would choose the sftp(ssh) or the FTPS(SSL), properly configured (anonymous user disabled, strong passwords, etc..).
In addition to these options there is also a middle ground, which is to use a secure file exchange platform for HTTPS, recently implanted in a client and has fully served: https://pydio.com/
If the problem is a lack of security in relation to FTP, you may choose sftp: https://www.digitalocean.com/community/tutorials/howto use-o-sftp-para-transferir-arquivos-com-security-com-um-servor-remoto-pt
– Miguel
HTTP was not created for binary file transfer (although it is capable of doing so), so if this is the focus, it is not the most appropriate protocol.
– bfavaretto
@bfavaretto But what about FTP problems? Amazon, with its large-scale S3 service, does not just use HTTP for communication?
– Murillo Goulart
@bfavaretto Ops. Does not use FTP.
– Murillo Goulart
@Murillogoulart although "similar", S3 is not a file system (nor does it have a directory concept). It is mere <-> key object association. FTP was not made to work outside filesystems. It would not make much sense to adapt the protocol simply to "mimic" the behavior.
– Bacco