diff --git a/src/FtpContext.ts b/src/FtpContext.ts
index 76b06bb..1b7effb 100644
--- a/src/FtpContext.ts
+++ b/src/FtpContext.ts
@@ -61,6 +61,8 @@ export class FTPContext {
     ipFamily: number | undefined = undefined
     /** Options for TLS connections. */
     tlsOptions: TLSConnectionOptions = {}
+    /** Most recent TLS session from the control connection, used to resume the session on data connections. */
+    tlsSessionStore: Buffer | undefined = undefined
     /** Current task to be resolved or rejected. */
     protected _task: Task | undefined
     /** A multiline response might be received as multiple chunks. */
@@ -150,6 +152,7 @@ export class FTPContext {
         this.dataSocket = undefined
         // This being a reset, reset any other state apart from the socket.
         this.tlsOptions = {}
+        this.tlsSessionStore = undefined
         this._partialResponse = ""
         if (this._socket) {
             const newSocketUpgradesExisting = socket.localPort === this._socket.localPort
@@ -175,6 +178,9 @@ export class FTPContext {
             // Control being closed without error by server is treated as an error.
             socket.on("close", hadError => { if (!hadError) this.closeWithError(new Error("Server closed connection unexpectedly.")) })
             this._setupDefaultErrorHandlers(socket, "control socket")
+            if (socket instanceof TLSSocket) {
+                socket.on("session", session => { this.tlsSessionStore = session })
+            }
         }
         this._socket = socket
     }
diff --git a/src/transfer.ts b/src/transfer.ts
index 00bd598..d75ee6a 100644
--- a/src/transfer.ts
+++ b/src/transfer.ts
@@ -130,8 +130,12 @@ export function connectForPassiveTransfer(host: string, port: number, ftp: FTPCo
                     // security: If a completely new session would be negotiated, a hacker
                     // could guess the port and connect to the new data connection before we do
                     // by just starting his/her own TLS session.
-                    session: ftp.socket.getSession()
+                    session: ftp.tlsSessionStore ?? ftp.socket.getSession()
                 }))
+                // When the server issues a new session ticket after this data connection's
+                // TLS handshake (TLS 1.3 single-use tickets), capture it so the next data
+                // connection can present a fresh ticket and resume successfully.
+                socket.on("session", session => { ftp.tlsSessionStore = session })
                 // It's the responsibility of the transfer task to wait until the
                 // TLS socket issued the event 'secureConnect'. We can't do this
                 // here because some servers will start upgrading after the