Just take this test: Try to download the Filezilla and when the download page shows click on the Direct Link. Then compare the two executables, one that downloaded automatically and the one that it downloaded via the direct link.
You will see that the direct download is clean but the other has the SF icon and it has a virus!
It's easy to blame Sourceforge. But Filezilla is not a SourceForge project and they can choose whatever hosting they want. I wonder what else they missed on.