As I understand Cloudflare can only protect against DDoS attacks if the attacker is sending the traffic to the domain, not to the IP directly. So if the attacker discovers the IP the Cloudflare orange cloud is useless.
We use the orange cloud for all our web traffic. That is good. But we also have FTP services running on the same server. But according to your own advice, we should use the grey cloud for FTP services: https://support.cloudflare.com/hc/en-us/articles/200169626-What-subdomains-are-appropriate-for-orange-gray-clouds-
Thus giving an attacker an opportunity to easily find the IP by looking for the FTP IP address.
I guess almost every web server needs FTP access, and I also assume it is the same IP address like the web server in >99% of the cases.
How can we effectively hide the FTP IP address?