I haven't tested this myself but I believe you had the right idea. Use the Targeted prevention policy and create a custom sandbox for the ftp daemon. If you don't want any restrictions then make it a Fully Open sandbox.
Edit the list of programs to route to the PSET, then add the FTP program path.
/usr/sbin/vsftpd
Use the Arguments field to desigate the Start variable.
&ci; *start*
Use the Rule Name field so we can reference this event for our Alert.
In the UMC Server Console go to Monitor->Alerts
Add a new Alert called FTP Daemon Started or whatever makes sense to you.
For the Filter we want to say if we see an event with our custom rule name trigger the Alert.
Add the Email Alert section with the body populated with all of the feilds from the event you wish to include.
Note: You need to see the event being generated in the Console first. The Alert will only trigger if the event makes it into the DB. The event may be Informational severity so you need to make sure your Prevention Parameters (aka Configs) are configured to send all events up to the manager while you are testing.