I wonder how he just happened to notice the keylogger connecting to FTP? Did he have a monitor in the background or something? Seems like that would be a good practice for doing things like this, and this guy obviously knows his stuff.
A simple firewall should do the job, or failing that wireshark. I'm assuming the guy did this inside a VM and had the host machine monitoring what was happening.
I guess he simply had a firewall that monitors active connections on his workstation (when an unregistered program tried to access the network an alert showed up).
It looks like the author of the article was using Wireshark to intercept network traffic. In the article there is a screenshot of a window with the title "follow TCP stream" and a headline "Stream content", exactly like in Wireshark.
I have used the same trick sometimes when nobody could remember the FTP credentials, but they were stored in the FTP program and a connection to the FTP server was still possible. Sometimes the guy with access to the admin panel is just not available, so a possible solution is to use Wireshark to retrieve the password, which is usually transmitted without encryption.