At the moment, spectator. But if someone else who stumbles upon this server and has other motives, they could be able to dig further and gain access to DB files.

Then we would be at risk since I assume that's where they store our user credentials needed to login to our website backend and make updates. Although, that will be least of our worries since we can simply reset the username/passwords that have accessed out sites since we have activity logs.

If there's a potential risk that someone could gain access to your system by breaching theirs then I would raise it with them immediately.

As they're accessing your system you can probably safely say you always do a security check on hosts connecting to your system to ensure there aren't problems. In this instance it showed that they have an open FTP server.