more important to note here again (because I feel like it got lost on the way): the log marked as #2 from 21:50:58 clearly show that there was something changed to the web-domain settings (disabled redirection and HSTS) and with that also the password for an additional FTP-user has been set or changed.
this got nothing to do with the admin password itself and you can identify this because of the underscore admin_xxxx in the log message.
so you might want to check your web-domain settings for that ftp user, probably you are just confusing things here a bit 