It's a shock when it first happens. There are three common possible causes, and you need to investigate them to prevent a repeat:
Your FTP password may been grabbed one of the examples of malware that are design specifically for that purpose. No security software has 100% detection - it's not practically possible.
If you have a shared server, as most people do, someone else's server space was compromised to an extent that allowed access to your account, which can easily happen if the host's own security measures are not good enough. This can be spotted if other sites with the same host are also hacked. If you can find evidence for this, move to another host.
Your PHP scripts are not up to scratch security-wise and someone with the skill to do it was able to exploit that. Similarly, your php.ini file may need some adjustment. If you have any PHP programs on your server but you don't have a php.ini file, you need one!
The last option is the most common method of hacking websites.