diff --git a/CHANGELOG b/CHANGELOG
index a212011dd0..2cc8490190 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,7 +1,7 @@
 git-annex (6.20180622) UNRELEASED; urgency=high
 
   * Added annex.security.allowed-url-schemes setting, which defaults
-    to only allowing http and https URLs. Note especially that file:/
+    to only allowing http, https, and ftp URLs. Note especially that file:/
     is no longer enabled by default. This is a security fix.
   * Removed annex.web-download-command, since its interface does not allow
     supporting annex.security.allowed-url-schemes across redirects.
diff --git a/NEWS b/NEWS
index f09009dbb0..2dcc72e52b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,6 @@
 git-annex (6.20180622) upstream; urgency=high
 
-  A security fix has changed git-annex to only support http and https
+  A security fix has changed git-annex to only support http, https, and ftp
   URL schemes by default. You can enable other URL schemes, at your own risk,
   using annex.security.allowed-url-schemes.
 
diff --git a/Types/GitConfig.hs b/Types/GitConfig.hs
index 98c8c6e83c..7d9ccbff1f 100644
--- a/Types/GitConfig.hs
+++ b/Types/GitConfig.hs
@@ -162,7 +162,7 @@ extractGitConfig r = GitConfig
 	, annexRetryDelay = Seconds
 		<$> getmayberead (annex "retrydelay")
 	, annexAllowedUrlSchemes = S.fromList $ map mkScheme $
-		maybe ["http", "https"] words $
+		maybe ["http", "https", "ftp"] words $
 			getmaybe (annex "security.allowed-url-schemes")
 	, annexAllowedHttpAddresses = fromMaybe "" $
 		getmaybe (annex "security.allowed-http-addresses")
diff --git a/Utility/Url.hs b/Utility/Url.hs
index 5664c47124..3301a4b0ef 100644
--- a/Utility/Url.hs
+++ b/Utility/Url.hs
@@ -100,7 +100,7 @@ defUrlOptions = UrlOptions
 	<*> pure DownloadWithConduit
 	<*> pure id
 	<*> newManager managerSettings
-	<*> pure (S.fromList $ map mkScheme ["http", "https"])
+	<*> pure (S.fromList $ map mkScheme ["http", "https", "ftp"])
 
 mkUrlOptions :: Maybe UserAgent -> Headers -> UrlDownloader -> Manager -> S.Set Scheme -> UrlOptions
 mkUrlOptions defuseragent reqheaders urldownloader manager =
diff --git a/doc/git-annex.mdwn b/doc/git-annex.mdwn
index c43c8012a9..e3386f3939 100644
--- a/doc/git-annex.mdwn
+++ b/doc/git-annex.mdwn
@@ -1394,7 +1394,7 @@ Here are all the supported configuration settings.
 * `annex.security.allowed-url-schemes`
 
   List of URL schemes that git-annex is allowed to download content from.
-  The default is "http https".
+  The default is "http https ftp".
 
   Think very carefully before changing this; there are security
   implications. For example, if it's changed to allow "file" URLs, then