I don´t think that we can find a quick solution without knowing how your rules look. Generally it should not be a problem to have a rule which blocks FTP for Users that are not par of an FTP group in AD. For example you can use something like
If Connection.Protocol equals "FTP" and Auth.Usergroups contains "FTP Group" -> Stop RuleSet
to allow Users in the FTP Group, and right below that rule block all other requests.
Doing so MWG will check an FTP Request and look at the groups a user is member in. If he is in the FTP Group, it will stop processing following rules, if a user is not, he will fall into a "Block all" rule.
This is just one example of many options, of course. You need to make sure that you perform authentication before you check for the groups, this is a mistake I have seen a couple of times.
If you need more information about how to adjust your existing rules, please add some more details.