Currently, the Lockout Policy for FTP/SFTP is based on the user. If the user id attempted is not in the system or doesn't have access to the FTP/SFTP adapter, then the attempt doesn't count. If the user does exist and the policy is violated, then only the user is locked out, not the source IP address. Subsequent FTP/SFTP connections are still allowed from the violating IP address.
This should instead, be based on the IP address. If any client from an IP address fails the user/password or user/key authentication, then that IP should be blocked for the time dictated by the policy. No further connections from that IP address should be allowed until the lock is cleared.