telnet to the ip address / port. The system should return a banner if the port is truly open. You can also run netstat -an at a command prompt to see if the host is listening on port 21. You can also use the Process Explorer tool from Sysinternals (Microsoft) to see what IP addresses are connected to processes/ports.
Just to add – If the port is TCPwrapped, kindly make sure that the allow and deny rules reflect the intended configuration and not something that leaves a backdoor for an attacker to get in. Since the port is TCPwrapped it would generally be assumed to be secure and can easily fool anyone. So beware and doublecheck the config.