I understand that F-secure etc will trigger on it.
Just tell them that port 123 shouldn’t be checked for source.
Then it won’t trigger anything.
And if you are worried over an attack, then change the trigger to e.g. 10 times a minute on same ip.
As an NTP-client doesn’t come that often.
To me it looks like false positives.