what service is being exploited?

Exhibit:
Given the following extract from the snort log on a honeypot, what service is being exploited? :

A.
FTP

B.
SSH

C.
Telnet

D.
SMTP

Explanation:
The connection is done to 172.16.1.104:21.