Allow only relevant protocol for associated port

Hi, We will be implementing a Fortigate firewall using transparent proxy to replace an existing proxy server for outbound access. This will be set up for a school and will require restrictive outbound access. The firewall will be configured to use the Fortiguard service to define which web categories are accessible. My initial plan is to implement a general outbound firewall rule to allow ports HTTP, HTTPS, FTP. My concern is the firewall rule will have FTP (port 21) outbound to any destination address. How can I configure the firewall so only FTP protocol is allowed outbound on port 21. My concern is someone could set up a SSH server on port 21 at home and can connect to it. I only want FTP protocol traffic on port 21, and possibly use similar method so anything not HTTP or HTTPS traffic on ports 80 and 443 are blocked. I have done some initial testing and can apply application control to block SSH on the rule which works. However I think it would be more accurate if possible to define a rule that anything not FTP on port 21 is blocked. Is this possible? I have looked through the cookbook and KB but unable to find an answer. Many Thanks.