Perhaps I’m not understanding the problem, but this is working as designed (i.e., according to spec).
When you open a passive data connection to an FTP server, vanilla or SSLed, you’re telling the remote host to forgo the process of connecting back to *your* machine with the PORT command, as the RFC and STD docs specify, and to open another port itself (i.e., on the remote host) for the data channel. Unless the remote machine is aware that it is directly connected to the Internet (or a dedicated connection, such as a frame relay circuit and whatnot) then all it can do is define the PASV response information using its own IP.
There’s two ways around this: Have the remote FTPS host directly connected to the Internet (and make sure it’s locked down tight), or arrange to have a firewall implemented between the ‘net and this remote host, that is able to do packet inspection and do the address translation without the hosts at either end having to know anything about it.
I know that Nokia’s firewalls do such translation, because it’s how we make our non-Internet-connected transfer hosts available to our clients. I’m sure Nokia isn’t the only one capable of doing this…